Tillbaka till resurser
Blogg

How to determine and reduce PCI DSS scope

jun 27, 2022

5 min

Group of pxeople holding desktops

PCI DSS compliance process

The journey towards PCI compliance is not always straightforward. The PCI compliance process is oftentimes very costly and requires a lot of resources. A lot of organizations also struggle to understand what systems need to be protected and have to fulfill the requirements in PCI DSS. Defining scope is a critical process. So how do you define PCI DSS scope? And are there ways to reduce it?

The security standard PCI DSS applies to all entities that store, process, and or transmit cardholder data. The PCI SSC, Payment Card Industry Security Standards Council, lists the following steps in the compliance process.

  • Scope
  • Asses
  • Report
  • Attest
  • Submit
  • Remediate

The first step in the PCI DSS process is to determine which components and networks are in scope for PCI DSS. The PCI scoping exercise should be done annually and prior to any PCI DSS assessment.

What is PCI scope?

PCI scope is how the PCI Council defines what parts of your environment have to meet the requirements of PCI DSS. What is defined as being in scope for PCI DSS are all the system components that are connected to or located within the cardholder data environment, CDE.

According to PCI DSS, the cardholder data environment is comprised of people, processes, and technology that handle cardholder data or sensitive authentication data. In this context, handle means to store, process, and or transmit cardholder data. This means that if your company has assets that store, process or transmit payment card data, they are in scope. The first step towards PCI compliance is about accurately identifying system components that store, process or transmit payment card data.

How do you determine what is in scope?

Best practice when determining scope is to assume that everything is in scope until proven otherwise. Start by identifying flows of cardholder data, as well as locations of cardholder data. You should also identify all system components that are connected to the cardholder data environment. These can include servers, applications, virtual machines, routers, and other virtualized components.

Systems located within the Cardholder Data Environment are in scope, regardless of their function. Systems that connect to systems within the Cardholder Data Environment are also in scope, regardless of their purpose. In a flat network, all systems are in scope if any system stores, processes, or transmits cardholder data.

A common mistake is assuming that systems outside the cardholder data environment are automatically out of scope. This is not always true. If a system, even if not directly connected, could impact the security of the CDE if compromised, it must be included in scope.

When is a system out of scope?

A system is considered out of scope when it is fully isolated from the Cardholder Data Environment. This means that even if the system were compromised, it would not affect the security of the CDE.

How do you reduce PCI DSS scope?

The more systems, processes, and complexity in your IT environment, the more difficult and expensive it becomes to achieve and maintain PCI compliance. Once you have identified what is in scope, reducing that scope should be a priority.

Reducing scope can lower compliance costs, reduce operational burden, and minimize the risk of security breaches. While no single technology can eliminate all PCI DSS requirements, there are several effective methods to significantly reduce scope.

Read more here

Network segmentation

Network segmentation involves isolating the cardholder data environment from the rest of the network. The goal is to prevent out of scope systems from communicating with or impacting systems within the CDE.

Tokenization

Tokenization replaces sensitive cardholder data with non sensitive values known as tokens. These tokens are randomly generated and have no exploitable value. Since tokenized data is not considered cardholder data, systems handling only tokens can be removed from scope.

Point to Point Encryption P2PE

P2PE protects payment data by encrypting it at the point of interaction, such as when a card is swiped, and keeping it encrypted until it reaches a secure decryption environment. This reduces the risk of data exposure and lowers the number of applicable PCI requirements.

Outsourcing

Using PCI compliant vendors can significantly reduce scope. By outsourcing to certified providers or using PCI compliant cloud platforms, organizations can offload parts of the compliance burden.

In some cases, this may reduce requirements to completing a Self Assessment Questionnaire and relying on the vendor’s compliance documentation.

However, it is important to evaluate both cost and security. The vendor must maintain security standards equal to or higher than your own organization.

Read more here