The goal of the Payment Card Industry Data Security Standard (PCI DSS) is to provide regulatory guidelines that secure customer data and enhance global security, which ultimately helps merchants succeed in their businesses.
Yet, for many organizations, it can be confusing to know if they’re fully compliant and frustrating to keep up with changing standards, especially when they’re partnering with vendors to manage operations.
One way to approach PCI DSS compliance is to better understand PCI scoping and how to define different aspects of your data environment. With the proper information about what scoping is and how to define a PCI scope, retail organizations can reduce compliance and operations costs, and avoid the potential penalties.
Scoping as defined by the PCI DSS requirements identifies the “people, processes, and technologies that interact with or could otherwise impact the security of CHD [cardholder data].” Essentially, any components of a system related to CHD that fall under PCI DSS. These components include the flow of cardholder data environment (CDE), and any other components that are connected to the system or support it.
Within PCI scoping there are three distinct ways that CHD is managed:
To accurately access and define a PCI DSS scope, organizations need to create a data flow map to assess how CHD moves through a system. This helps organizations see which parts of that system need proper security in addition to remaining compliant. Examples of components are those that make a network connection to a system are:
There are a number of reasons PCI scoping is important, but ultimately, the goal is protection. That protection includes the CHD, the organization’s network, and vendors. Everything that falls under PCI scope is a potential attack surface, or a place where cybercriminals can access the CDE and steal information.
With accurate scoping, organizations can:
The process of identifying what falls under PCI scope also helps organizations identify those areas that aren’t in scope, known as “descoping.” The process of descoping allows organizations to minimize the security controls needed to protect the CDE. Descoping can involve the following:
So, how can your organization reduce PCI scope to be more efficient and secure? The following sections will offer tips to help you descope relative to your CDE and build a stronger system.
There are a number of effective strategies to reduce PCI scope which involves limiting access to CHD and where it’s transmitted. A combination of the following strategies, which are offered with secure remote access tools, can be an effective way to enhance your security and ensure total compliance.
Network segmentation involves separating (or isolating) the different devices and users that interact in the network to limit interaction with CHD. It helps keep out-of-scope components separate from those that are in PCI scope. While it isn’t required under PCI DSS, it’s recommended as a way to effectively support a system.
A few examples of network segmentation are:
An example of network segmentation in practice is separating a medical device from a specific network to prevent devices from being affected by visitor web browsing.
Benefits of network segmentation include:
It’s important to note that encryption does not necessarily mean that PCI DSS standards can be removed from a specific environment, or that that environment is out of scope. Since encrypted environments still contain CHD, they fall under PCI DSS requirements.
Encrypting with strong cryptography is an acceptable way to meet PCI DSS requirement 3.4 but may not be enough to keep CHD fully out of scope. Since an organization (on-premise) has the encryption keys stores in their system, it technically means that CHD is accessible if a cybercriminal was able to hack into the system. If a vendor holds the encryption keys, it may reduce PCI DSS scope.
For on-premise encryption to reduce scope and remain compliant, an organization has to use point-to-point encryption (P2PE). This involves securing data from the moment it’s captured to its endpoint where it will be stored. This secures all CHD data that goes into hardware like a PIN pad, or other POS devices. Using P2P encryption, even on devices that are out of PCI scope provides the most security.
Benefits of P2PE for your system include:
Tokenization is a means of taking sensitive data, like CHD, and turning into tokens that aren’t sensitive, effectively removing it from your system. Since tokenized data isn’t technically data anymore, it’s no longer considered in-scope because it’s not storing, processing, or transmitting actual CHD. While tokenization is helpful, it doesn’t necessarily guarantee that your system is compliant so check specific standards to make sure you’re complying with all necessary standards.
To properly secure this data, tokenization should happen outside of your system so that it never touches any aspect of your environment. This allows organizations to remove their networks from PCI scope and remain compliant. The sooner tokenization happens in the CHD journey, the more likely you are to reduce scope.
Benefits of tokenization include:
Retailers use vendors for a number of different reasons and one of those is outsourcing PCI compliance solutions. Since maintaining on-premise PCI compliance can be complicated and expensive, it’s sometimes helpful to allow a PCI-compliant vendor to assume certain functions as a partner to your organization.
One example of this is POS remote access. A compliant, effective remote access tool allows you to consolidate security solutions for devices and networks with one tool to provide high-quality protection from data breaches and threats to CHD. Some of the benefits of using compliant secure remote access are:
While this may help reduce scope, it may not eliminate it. Additionally, it’s important to check that any vendor you are considering can provide evidence of their PCI compliance. Partnering with vendors can be costly, but it may also reduce costs related to PCI scope and be more secure than your own environment. If you’re saving money from reducing PCI compliance, the cost of a vendor may be worthwhile.
As you consider PCI compliance for your organization and reducing PCI scope, there are a few myths to be cautious of before choosing products and services. This can be especially important for smaller organizations that may be overwhelmed by the numerous options available and the overwhelming about of PCI requirements. The following are a few common myths:
There are 12 PCI DSS requirements for organizations to meet, but there are not many vendors that can meet all 12. They address certain aspects of your system and PCI compliance, and can be viable solutions for reducing certain parts of PCI scope, but you still have to look at security for your whole system.
Merchants and vendors need to find compliant tools to address each of the 12 requirements rather than one catch-all answer to PCI compliance.
Cybersecurity and protecting CHD goes beyond PCI compliance. While it is certainly an important part of your security protocols, cybercriminals are continually finding new ways to access systems and PCI standards have to change to adjust. One successful completion of PCI assessment doesn’t ensure compliance or safety moving forward.
One way to support your system as standards change is to choose tools that exceed compliance. Whether it’s remote access software, hardware, or IT services, the only way to ensure compliance is to make sure your partners are capable of addressing changes to PCI standards.
It’s suggested by PCI DSS and payment card companies to NOT store CHD if you’re a merchant. You’re actually not permitted to store data from the magnetic strip on cards and any information from the front of the card has to be encrypted per PCI DSS standards.
Some merchants aren’t required to have on-site assessments to confirm PCI compliance, so an SAQ can satisfy PCI scope at that time. But as standards change and you rely on different tools and services, your system will require continuous passements to ensure compliance and total security.
Remaining PCI compliant essential for your organization’s security and to avoid potentially large fines. A 2018 Cost of a Data Breach Study from the Ponemon Institute found that the average cost of a data breach around the world was $3.86 million, which was up from the previous year. With that kind of trajectory, one may expect that fines could continue to rise as PCI standards updates occur.
Staying on top of changing standards, whether for PCI scoping or other regulatory bodies, is not only a legal matter, but a security one. If you need a secure remote access solution, look no further than Netop Remote Control. With our software, you can rest assured that your devices, platforms, and networks are secure no matter where you’re connecting from. Contact us today for a trial to learn how we can support you in remaining PCI compliant.
© Copyright 2000-2023 COGITO SOFTWARE CO.,LTD. All rights reserved
