How to Reduce PCI DSS Scope

May 24, 2024 | News

As long as payments have existed, so too has the need to secure them. From bank vaults and cash registers to the data protection technologies we use to safeguard digital transactions today, security methods continue to evolve. In this ongoing pursuit to protect payments from theft and fraud, card brands have established guidelines for ensuring organizations handle sensitive payment data properly. The most prominent of these requirements is the Payment Card Industry Security Standards Council’s (PCI SSC) Payment Card Industry Data Security Standard (PCI DSS).

PCI DSS compliance is required of any organization that wishes to process, store, or transmit cardholder data issued by the five major card brands. This stipulation is simple enough, but the compliance process itself is a complicated task. PCI DSS compliance is an ongoing endeavor that requires organizations to regularly maintain and assess their network systems to ensure they are meeting the latest compliance obligations of the payments industry.

An effective way to ensure you’re meeting compliance obligations as efficiently as possible is to simplify your cardholder data environment (CDE). This is primarily done by reducing the amount of cardholder data (CHD) in your systems—and in turn, the scope of PCI DSS controls within your network. This can be accomplished in myriad ways.

What is PCI Scope?

Scope is the portion of your organization’s environment that includes not just technology but the people and the processes that are involved in the storing, processing, and transmitting of credit card data. The parts of your systems that are in scope are known as the cardholder data environment (CDE).

PCI DSS scope applies to all systems that are connected to or could impact the security of the CDE, such as authentication servers, patch servers, AV firewalls, routers, cryptography systems, and more. It also includes call center operators, IT personnel, human resources employees, and anyone else who has access to card data.

What is Descoping?

Descoping is the concept of minimizing an organization’s compliance scope by reducing the number of security controls applicable to its environment. The people, processes, and technology not involved in the storage, processing, or transmitting of payment card account data are out of scope for PCI DSS. So, by limiting the number of people, processes, and technology that interact with payment data, organizations can reduce their scope

In addition to simplifying compliance and reducing cost, descoping also minimizes your attack surface. The PCI DSS designates certain areas of your environment as in scope because they pose serious security risks. By removing those areas from scope, in effect, they’re no longer considered a risk, reducing the negative potential impact associated with a breach.

Benefits of Descoping

  • Reduce the financial cost associated with PCI DSS audits
  • Reduce the time needed to perform the PCI DSS audit
  • Reduce the level of effort to implement and maintain the controls necessary for PCI DSS compliance
  • Reduce the impact of a potential data breach

What is Considered in PCI Scope?

The scope of an organization’s environment is the extent to which payment card data exists within its systems. Any portion of a network that stores, processes, or transmits payment card data is considered to be within the scope of PCI compliance. The best way to determine this is to perform a scoping exercise.

This entails creating a data flow that maps how payment data travels through your environment. From there, you can see who and what is interacting with cardholder data and where those interactions are occurring. In the process, you will identify which assets along the data flow are in scope and therefore need to be examined to ensure security and compliance.

How to Reduce PCI DSS Scope

Descoping a data environment by decreasing the amount of CHD traversing is one of the simplest and most effective ways of complying with the PCI DSS. Often, organizations choose to meet PCI requirements by utilizing a combination of segmentation and encryption, but tokenization has emerged as a simpler scope-reducing alternative with minimal disruption to vital operations and business intelligence.

Cloud-based PCI tokenization even outsources the handling of sensitive payment information to security experts, further reducing compliance and operational costs while mitigating the risk and liability associated with a potential data breach. Let’s examine a few common examples of techniques for reducing scope.

Network Segmentation

Network segmentation is the process of separating your computing assets, either logically or physically, so cardholder data interacts with as few of your network-attached resources as possible. After segmenting the portion of your environment that interacts with payment card data, all cardholder data ideally would be stored in a network isolated from your other business applications and systems. This ensures that only a limited number of computing assets and environments are in scope.

Common methods of network segmentation include firewalls, virtual local area networks (VLANs), and routers, but the effectiveness of these solutions can be limited by an increasingly mobile environment that enables employees to access sensitive information from multiple devices and locations. As such, the process of segmentation has become increasingly complex, difficult, and expensive.

Encryption

Encryption uses mathematical algorithms with cryptographic keys to encrypt and decrypt data. Asymmetric algorithms use a pair of public and private keys, whereas symmetric algorithms use a single key for encryption and decryption.

Encryption can protect sensitive data, but it does not reduce scope unless a secure third party manages the aforementioned encryption keys. If you possess the keys or store them in your environment, then a breach of your system could potentially make them available to hackers. Thus, all of the CHD encrypted by keys stored in your system is still in scope.

However, on-premises encryption can reduce scope when it is deployed in the form of point-to-point encryption, which ensures the immediate security of all the payment data entered via card swipes or a PIN-pad device. This is a useful application for point-of-sale systems and call centers.

Tokenization

Tokenization is the process of converting sensitive data into nonsensitive, mathematically unrelated data called tokens. Once data is tokenized, it is no longer considered cardholder data, so a placeholder token can flow through your environment without bringing any of the elements that store, process, or transmit it into scope.

Ideally, tokenization occurs outside of your environment so cardholder data in its original, sensitive form is never introduced. If this is the case, organizations can virtually remove their networks from scope and greatly increase the likelihood that they’ll be able to maintain compliance between annual assessments.

To push compliance boundaries out to the farthest edge of your environment, you can use technologies such as load balancers to tokenize data at the earliest point in the payment card acceptance process, maximizing the reduction of scope. Additionally, tokenization requires neither the key management of encryption nor the significant infrastructure costs of network segmentation.

PCI Descoping Example: Cloud-based Tokenization

Ecommerce or mail-order/telephone-order merchants who outsource all cardholder functions to validated third parties are eligible for an SAQ A or an SAQ A-EP. An SAQ A contains 22 controls, compared to the more than 300 controls for the full PCI DSS. This represents the maximum scope reduction available with cloud-based tokenization.

Qualifying for an SAQ A

  • Use a hosted iFrame or payments page provided by a validated service provider to capture and tokenize CHD
  • Do not transmit, process, or store CHD via any other acceptance channel
  • Utilize payment services of tokenization provider to process transactions
  • Maintain appropriate policies and procedures

Our goal is to tokenize as early as possible within acceptance channels to keep cardholder data from ever entering an organization’s systems. So if we can replace that card number with a token before it ever touches your environment, we’re essentially removing your environment from scope.

However, even if you outsource all cardholder data to a PCI service provider, some compliance obligations still remain. For example, if you’ve removed all sensitive cardholder data from your environment–maximizing your reduction of PCI scope–you’ve successfully exempted yourself from all technical controls, but the controls concerning people and processes (requirements 2, 8, 9, and 12) will still apply to your organization.

IXOPAY: Tokenization for PCI Descoping

When beginning your organization’s journey to PCI compliance, you can save yourself significant time, money, and effort by pursuing a descoping solution. This efficient and effective method for compliance uses proven techniques for segmentation and data minimization to isolate sensitive data and to store only what is absolutely necessary.

Of the descoping technologies available, tokenization offers maximum scope and risk reduction by emphasizing a data-centric approach to security and compliance. It also preserves much of the business utility of the original data while minimally disrupting your existing processes. Cloud-based models in particular provide the greatest scope-reducing potential, so contact IXOPAY today to learn more.