PCI-DSS – Scoping Requirements

Card Any organisation that stores, processes, or transmits payment card information is required to adhere to a set of requirements, known as The Payment Card Industry Data Security Standard (PCI DSS). This standard also applies to any organisation that provides services which could impact the security of payment card information.

The level of compliance and requisite actions vary depending on an organisations level of transactions processed and position within the payment ‘eco-system’.

An overview of the Payment Eco-system

Cardholder

Cardholder

The individual person to whom a payment card is issued and who pays for products or services using that card.

Issuer

Issuer

The entity that issues the card to the cardholder, often (but not limited to) your bank.

Merchant

Merchant

The entity that receives payments from cardholders for products or services.

Acquirer

Acquirer

The entity that takes on the financial risk of the merchant transaction (sometimes the acquirer is also a payment processor, and the roles are mingled – the volumes distinguish between these functions).

Service Provider

Service Provider

An entity that provides services that control or could impact the security of Cardholder Data.

The PCI Security Standards Council have released the latest version 4.0, discussed previously by James Drake, Senior Director in Information Security Solutions at Xcina Consulting (part of the Shearwater Group plc)

PCI-DSS

Defining the Scope

Understanding which specific elements within the PCI DCC standards your organisation’s business and technological environment are required to adhere to, is the first objective. These elements are called the ‘Scope’, and they are made up of three categories; People, Processes and Technology. This paper explains each one in more detail.

PPP

In simple terms, anything or anyone that directly or indirectly connects to the cardholder environment including storing, processing or transmitting cardholder data, or affects the security of cardholder data, must be in scope for compliance.

Determining the ‘Scope’ is vital for an organisation’s assessment. Without scope definition the entire network and infrastructure must adhere to the PCI DSS and be assessed. When organisations try to define their own ‘scope’ it is common for them to overlook key elements. A good starting point is to consider:

  • How do I collect payment card information for services?
  • Why and what systems process cardholder data?
  • Where and how is this data stored, processed and transmitted to?
  • Where and how is this data stored, processed and transmitted to?

There are many tools available to aid an organisation with identifying its scope. Sensitive data discovery scans (to identify unencrypted) cardholder data on a network, network discovery tools, vulnerability scanning tools, and Data Loss Prevention (DLP) tools to help prevent and detect mistakes when handling this data.

Reducing your scope

In order to lower the cost and difficulty in complying with PCI DSS, it is recommended that an organisation reduces the scope of its cardholder data environment. Most importantly, this action will also reduce the risk to an organisation and its customer’s cardholder data.

The most common and advised route to do this is through network segmentation. This isolates the cardholder data in an environment separately from the organisation’s broader network. Once implemented, network segmentation helps ensure that cardholder data is stored in a secure method and all access (whether physical or technical) is protected, as illustrated below:

PCI Scoping

Another method which can aid in reducing scope is the use of third parties for activities such as payment processing or storage of data. An example of this may be seen in organisations choosing to migrate their systems to cloud platforms or using Payment Service Providers (PSPs). Whilst it is tempting to believe that this might alleviate all compliance burdens, an organisation needs to understand the shared responsibility model and wider impacts relating to cardholder data.

Conclusion

Whilst the information provided here will aid an organisation in its definition of its PCI DSS scope, there is a great deal to consider with regards to PCI DSS compliance. Each organisation will have their unique needs, services and infrastructure assessed to understand the areas that impact their compliance. It is mandated that only PCI accredited assessors (Qualified Security Assessors) may complete an official assessment. However, it is also recommended that a compliant organisation regularly consult with a QSA to discuss their strategies and understand how their growing business needs/changes may impact their compliance.

If you would like to know more regarding how we are assisting our customers with PCI DSS, please contact our QSA’s at info@xcinaconsulting.com.

References

PCI DSS Glossary — PCI Resources
SecurityMetrics, “PCI DSS Compliance: A Resource for Merchants and Service Providers to Become Compliant”. Seventh Edition (2022).
PCI Security Standards Council, “Information Supplement: Guidance for PCI DSS Scoping and Network Segmentation, May 2017”. 2017.

We’d love to hear from you

To discuss how the areas highlighted in this post, or any other aspect of risk management, information governance or compliance impact your business, speak with our team, tell us what matters to you and find out how we can help you navigate complex issues to help you deliver long term value.

If you have any questions or comments, or if there’s anything you would like to see covered, please get in touch by emailing Xcina Consulting at info@xcinaconsulting.com. We’d love to hear from you.

James Drake

Senior Director

Speak to me directly by Email, or
Telephone: +44 (0)203 745 7820

Subscribe to Updates

Receive regular updates from our expert consultants as they provide clarification and guidance on issues impacting your organisation.

Subscribe >>