Reducing your PCI DSS scope is an effective way to save costs on the PCI audits. Officially it is not required to segment the network or isolate systems that process, transmit or store credit card data. However, without proper network segmentation and isolation of cardholder data (“CHD”) systems, all systems connected to a network are in scope of the PCI DSS requirements. The more systems are in scope the more work it will take to become compliant, since applying all the PCI DSS requirements is a labour-intensive process.
We believe it should be a major priority for IT managers.

 

Why should it be a priority?

 

Data, in general, pose a threat to anyone storing or processing it. Therefore: if you don’t need it, don’t store it! We often see parties that have a hunger for storing data, not thinking about the risks involved. If an organization manages to decrease the amount of cardholder data that is found in their possession, the impact of data loss is limited. Which means:

  • Saving costs
  • Less stress
  • Regulation updates are less likely to affect processes
  • Security breaches are minimized
  • PCI compliance gets easier

 

Defining CHE

 

The key step toward PCI DSS compliance is defining the cardholder data environment (CDE). It has become somewhat of a pain point when determining scope since the introduction of PCI DSS version 3.0. Subsequent versions introduced additional complexity by adding a new control requiring multi-factor authentication for any non-console administrative into CDE systems, including systems like web applications.

 

Reducing PCI scope

 

When a clear overview is determined of the CDE is the next tips can help you to reduce the scope.

1. Network isolation

One of the clearest ways to reduce scope is through allowing a smaller number of devices to access the CDE. In general, the greater the number of devices that can access the CDE, the larger the administrative burden. However, reducing the number of devices with access is not always possible due to designated resources who need access to the CDE to perform their daily duties.

Devices that are connected to CDE systems or that can impact the security of those systems are considered in scope from a PCI DSS perspective. The best way to reduce PCI DSS scope, and prevent increase of scope, is to physically and/or logically separate those devices from the rest of the systems in the environment. The benefit here is twofold:

• Provides a clear delineation between in scope and out of scope systems
• Identifies areas where controls need to be implemented to restrict access to the environment

2. Dedicated devices

An additional solution to minimize the scope of compliance is to utilize dedicated devices on isolated network segments that are only used to process cardholder payments or perform administrative functions within the isolated environment. These devices are typically found in the form of point of sale terminals in retail locations or call center workstations in the case of phone-based retail processes. These dedicated devices will interact with systems within the boundaries of the CDE and have no access to systems outside of the isolated CDE. The downside to this approach is the introduction of additional devices to maintain, potentially duplicating functionality between two environments, (e.g., two anti-virus servers, two centralized logging servers, etc.). Depending on the payment processes and application workflows, this solution may be easier to achieve in some cases.

3. Tokenization

In many scenarios, a system may need to know that a legitimate card number has been provided but may not need to see or interact with the full 16 digits of the primary account number (PAN). In these scenarios, the PAN may be “tokenized” with little or no impact to the process or system that uses the token. The benefit of this tokenization is that only the systems that originally receive the PAN itself, the tokenization system, and any intermediate systems, are required to be in scope for compliance. Any other system that only stores or interacts with the token can be considered out of scope for compliance, if they are appropriately isolated from other card-processing systems. It is important to note that without proper segmentation and isolation, the token-handling systems may still be considered in scope, removing the main benefit of tokenization.

4. Point to Point Encryption

Point to point encryption (P2PE) can drastically reduce PCI DSS scope within the environment. Typically found in point of interaction (POI) devices, this technique will encrypt cardholder data directly at the terminal, and that data won’t be decrypted until it reaches the payment processor. The owner of the POI device doesn’t have access to the encryption keys, and therefore, you can consider the environment that encrypted data flows through to be removed from scope.
But remember while this can help reduce the scope of your compliance efforts, all other credit card handling processes still need to be considered when defining the full CDE. For instance, if there’s a business process to write down cardholder information and then process that information later, your scope must include those processes and any associated systems.

Conclusion

Through the use of network isolation, dedicated devices, tokenization, P2PE or a combination, merchants can effectively reduce the scope of their CDE while still providing essential business functions. Each of these approaches should be considered when evaluating the total cost of PCI DSS compliance and will help reduce the costs of PCI scope.

Fortytwo Security’s PCI compliance services can help your organization in many ways. Contact us to see what we can do for you.

Read more about Tokenization