Reducing your PCI scope not only makes your customers’ data more secure, it can also reduce workload and cut compliance-related costs. But how can your organization meet compliance and shrink its scope? Brent Johnson, PCI expert and Chief Information Security Officer for Bluefin, weighs in on common PCI pitfalls, tips for reducing PCI scope, and how to prepare for PCI DSS v4.0.
Common PCI Compliance Mistakes
“PCI comes into scope whenever you are storing, processing or transmitting cardholder data,” explains Johnson. The people, processes, and technology that an organization uses to store or transmit cardholder data make up the cardholder environment — and they all fall within scope.
“Allowing connections from an environment that has no need to communicate with an in-scope environment is one of the most common scope-expanding mistakes organizations make,” says Johnson.
For example, many organizations allow their customer service representatives, marketing teams, and more to handle sensitive data, widening their scope and their risk in the event of a data breach. “The concept of least privilege should always be applied, and only personnel with a business need should be handling cardholder data,” said Johnson.
“Flat networks are also highly at risk,” Johnson adds. Upfront, a flat network in which all devices exist on the same network segment may be cheaper to install and simpler to operate. But while a flat network may help reduce complications, it conversely increases PCI scope, security concerns and associated costs.
Finally, many smaller businesses that handle cardholder data are also at risk for violating compliance standards. “Small, mom-and-pop level four merchants should be considering PCI scope, but many times, the self-assessment questionnaire simply becomes a ‘check the box’ exercise for these organizations. But even the smallest companies need to follow PCI standards to mitigate the risk of data breaches and fraud.”
Tips for Reducing PCI Scope
In the simplest terms, the best way to reduce PCI scope is to decrease the number of eyes on cardholder data. According to Johnson, one of the most effective ways to accomplish that is network segmentation. “Segmenting off networks and systems from those which aren’t necessary for storing, processing, transmitting, or affecting the security of cardholder data is key.”
Along with reassessing which departments and employees need access to sensitive data to do their job, organizations with a flat network should consider a segmented architecture. Not only will this reduce an organization’s PCI footprint, it will also make it more difficult for hackers to infiltrate your system in the event of a data breach.
It’s also important to be mindful of any partners that you work with. “When you bring in a third-party contractor or vendor environment that connects to yours, their employees and their systems are in scope for your environment,” says Johnson. “Additionally, your scope is also extended into their environment, so care must be taken to ensure the appropriate PCI-DSS controls are met for their systems and their environment.”
Another way to reduce PCI scope is implementing PCI-validated point-to-point encryption, or P2PE. “PCI-validated P2PE alone can take you down from 300 to about 30 controls,” Johnson adds. The PCI DSS mandates that validated P2PE encrypts data from the point of interaction, or POI, device until it leaves the merchant’s environment, where it is then decrypted by the P2PE solution provider. In short, it ensures that clear-text data never traverses your organization’s system, dramatically reducing scope.
Get Ready for PCI DSS v4.0
One critical piece of meeting PCI DSS compliance is keeping up with changes to the standards. With the latest version of PCI DSS coming in the next year, organizations can expect a few changes to the requirements for PCI DSS compliance. These changes bring both opportunity and risk for organizations that handle cardholder data.
While PCI DSS v4.0 will allow for more flexibility, there are some major changes that could put large organizations at risk. According to Johnson, “One challenge with v4.0 will be internal sensitive data transmission. Encrypted cardholder data transmission over open public networks is already a requirement, but under the new standard, it appears encryption will also be required internally. This shift will likely be challenging for many entities using legacy applications for data processing.”
Start with PCI-Validated Solutions
To find out more about Bluefin’s PCI-validated P2PE and tokenization solutions, get in touch with a Bluefin representative today.