Scope is Fundamental to PCI DSS Compliance

PCI DSS is the card payment security standard that organisations need to comply with when they store, process or transmit cardholder data, or when they may influence the security of cardholder data. PCI DSS has over 300 prescriptive requirements, many of which may apply to assets connected to any system that touches cardholder data.

The cardholder data environment (CDE), any connected systems, and any systems that influences the security of the environment are in scope for PCI DSS. The level of PCI DSS compliance you require is determined by the number of card transactions your process on an annual basis.  Level 1 merchants are organizations processing more than 6 million transactions annually and are required to complete a fully independent assessment and Report on Compliance. For merchants processing less than 6 million transactions, lower level of compliance reporting is required based on the card brands you deal with. How you take card payments can also reduce the number of requirements you need to comply with, if you meet certain criteria for a given type of Self-Assessment Questionnaire (SAQ).

Understanding the scope and how to reduce it is vital to reduce the overall compliance burden, reduce the risk of a breach, and reduce compliance costs. A smaller scope allows more flexibility in the business and allows the business to be more agile. For most organisations, taking card payments is not their core business, so a smaller compliance burden means more resources for the business. Some business’ struggle to achieve and maintain compliance with PCI DSS unless they reduce scope first. Scope reduction can be the difference between your entire network of over thousands of assets being in scope versus a segregated area of sometimes as few as under 10 assets being in scope. The impact of scope reduction is paramount.

PCI DSS Scope Review

When Dionach by Nomios PCI Qualified Security Assessors (QSAs) start a PCI DSS scope review, we look at the current payment channels such as telephone payments, ecommerce, retail, and even mail order. There may be other ways that organisations are handling account data, for example for fraud checks. Dionach will talk to different teams, including finance, IT, call centre staff, retail, ecommerce, and software developers. This gives Dionach an understanding of existing account data flows and their context, which may include networks, VoIP, cloud services, devices, virtual terminals, paper, and laptops.

We’ve found that every organization takes payments or processes cardholder data in different ways, with different sizes, cultures, and cardholder demographics.

We need to understand the business and business processes involved in card processing to ensure we can provide meaningful options for scope reduction, as some options will involve changes to business processes. The recommendations for scope reduction for one organization that takes occasional telephone payments will be different from another organisation with several call centres.

Scope can be reduced in different ways. An organisation can try and change specific payment channels to meet self-assessment questionnaire criteria, such as SAQ A (29 PCI requirements) for ecommerce payments with an iframe or redirect, or SAQ P2PE (21 PCI requirements) for payment terminals that are part of a P2PE validated solution.

An organisation can stop storage of cardholder data, for example through implementing a tokenization solution or reviewing whether they really need to store cardholder data. This can reduce the requirements that are applicable and remove scope all together

An organisation taking telephone payments can use a Dual-tone Multi Frequency Signalling (DTMF) solution provider that is PCI DSS compliant and look to meet the requirements of SAQ A. As VoIP would be in scope for PCI DSS requirements, DTMF is a good solution for call centres. To take VoIP out of scope.

An organisation can isolate the cardholder data environment to remove connected networks and systems from PCI DSS requirements. This is challenging as the CDE does need to be isolated. This has an effect of reducing the number of system components, and so reducing overall compliance requirements.

An organisation can use cloud service providers that has a PCI DSS Attestation of Compliance (AoC). It is important to check that the services used for the CDE are listed in the AoC. As an example, the cloud service provider may provide SaaS, IaaS or PaaS services that they have responsibilities for, and therefore some PCI DSS compliance requirements sit with the cloud service provider. This can range from physical security for IaaS, to operating system configuration and security updates for PaaS. The organisation needs to carefully check the PCI DSS responsibilities list or matrix for each cloud service provider.

These examples are just some of the options that Dionach will put in a scope review report. It is important to complete a scope review, understand the options, select impactful options, and then implement the necessary changes. This should be done before completing a gap assessment or prioritized approach against PCI DSS, as there may be fewer requirements, and a different scope when the time for a gap assessment comes.

The scope review report will also highlight any high-risk areas, for example if account data is being stored, or ecommerce websites are directly processing account data. Organizations are sometimes not aware that some of their systems are storing or processing account data.

Let’s Chat

Dionach by Nomios have enjoyed helping different types and sizes organisations with their PCI DSS scope, by understanding how they take card payments or use card data, understanding their business processes, and then helping them choose the options right for the organisation.

To help you with PCI DSS compliance, our expert team can provide a scope review, and follow up with a gap assessment against PCI DSS 4 requirements. We can then assist with the completing of a Self-Assessment Questionnaire or Report on Compliance, as appropriate.