As networks become more complex, ensuring your organization is PCI compliant can become daunting. Add to that the squeeze on resources and budget many organizations are facing and it’s not surprising to see an increased interest in learning how to reduce your compliance burden by limiting your PCI scope.
What is PCI scope?
The PCI Security Standard Council defines scope as, “all system components that are located within or connected to the cardholder data environment.” This includes all the people, processes and technology needed to securely handle, process, send and store cardholder data. Working to reduce the number of elements cardholder data touches can help you reduce scope along with the associated workloads and costs.
4 tips to reduce your PCI scope
Understand cardholder data flow: The first and most important step in reducing scope is taking the time to understand and map how cardholder data flows through your environment. Knowing all the points of collection/entry, processing, storage and exit will allow you to map the scope in place today and recognize opportunities to improve the flow.
Use network segmentation: While not a PCI DSS requirement, segmenting the systems that handle cardholder data from those that don’t is a great way to reduce scope. Segmentation also improves your overall security as access is limited to trusted system components; should another part of your environment become compromised, the cardholder data components will remain unaffected.
If you don’t need it, don’t store it: Limit the storage of cardholder data within your environment and if possible, either truncate the cardholder data (only store the first six and last four digits of a credit card number) or tokenize your cardholder data (remove Primary Account Number data from your internal network and replace it with a randomly generated, unique placeholder called a token). The less data you store, the smaller your scope!
Consider Point to Point Encryption: To further reduce scope, a PCI DSS certified Point to Point Encryption (P2PE) solution can be used to segregate your pin pad from the rest of your environment. As the P2PE is managed by a third-party provider, the responsibility of PCI compliance falls to the solution provider.
If you’re looking for help to reduce your PCI burden TELUS can help guide you on reducing your PCI scope. TELUS Cyber Security has been a Qualified Security Assessor Company (QSAC) since 2006 and has experience performing PCI engagements ranging from full on-site Report on Compliance assessments (ROCs) to assisting clients complete their Self-Assessment Questionnaires (SAQs) and everything in between. Our QSAs are located across Canada and ready to support you with all your PCI needs.
For advice on reducing your PCI scope, please reach out to us here.