PCI-DSS – Scoping Requirements
Any organisation that stores, processes, or transmits payment card information is required to adhere to a set of requirements, known as The Payment Card Industry Data Security Standard (PCI DSS). This standard also applies to any organisation that provides services which could impact the security of payment card information.
The level of compliance and requisite actions vary depending on an organisations level of transactions processed and position within the payment ‘eco-system’.
An overview of the Payment Eco-system
Cardholder
The individual person to whom a payment card is issued and who pays for products or services using that card.
Issuer
The entity that issues the card to the cardholder, often (but not limited to) your bank.
Merchant
The entity that receives payments from cardholders for products or services.
Acquirer
The entity that takes on the financial risk of the merchant transaction (sometimes the acquirer is also a payment processor, and the roles are mingled – the volumes distinguish between these functions).
Service Provider
An entity that provides services that control or could impact the security of Cardholder Data.
The PCI Security Standards Council have released the latest version 4.0, we discussed this in our earlier updates.
Defining the Scope
Understanding which specific elements within the PCI DCC standards your organisation’s business and technological environment are required to adhere to, is the first objective. These elements are called the ‘Scope’, and they are made up of three categories; People, Processes and Technology. This paper explains each one in more detail.
In simple terms, anything or anyone that directly or indirectly connects to the cardholder environment including storing, processing or transmitting cardholder data, or affects the security of cardholder data, must be in scope for compliance.
Determining the ‘Scope’ is vital for an organisation’s assessment. Without scope definition the entire network and infrastructure must adhere to the PCI DSS and be assessed. When organisations try to define their own ‘scope’ it is common for them to overlook key elements. A good starting point is to consider:
- How do I collect payment card information for services?
- Why and what systems process cardholder data?
- Where and how is this data stored, processed and transmitted to?
- Where and how is this data stored, processed and transmitted to?
There are many tools available to aid an organisation with identifying its scope. Sensitive data discovery scans (to identify unencrypted) cardholder data on a network, network discovery tools, vulnerability scanning tools, and Data Loss Prevention (DLP) tools to help prevent and detect mistakes when handling this data.
Reducing your scope
In order to lower the cost and difficulty in complying with PCI DSS, it is recommended that an organisation reduces the scope of its cardholder data environment. Most importantly, this action will also reduce the risk to an organisation and its customer’s cardholder data.
The most common and advised route to do this is through network segmentation. This isolates the cardholder data in an environment separately from the organisation’s broader network. Once implemented, network segmentation helps ensure that cardholder data is stored in a secure method and all access (whether physical or technical) is protected, as illustrated below:
Another method which can aid in reducing scope is the use of third parties for activities such as payment processing or storage of data. An example of this may be seen in organisations choosing to migrate their systems to cloud platforms or using Payment Service Providers (PSPs). Whilst it is tempting to believe that this might alleviate all compliance burdens, an organisation needs to understand the shared responsibility model and wider impacts relating to cardholder data.
Conclusion
Whilst the information provided here will aid an organisation in its definition of its PCI DSS scope, there is a great deal to consider with regards to PCI DSS compliance. Each organisation will have their unique needs, services and infrastructure assessed to understand the areas that impact their compliance. It is mandated that only PCI accredited assessors (Qualified Security Assessors) may complete an official assessment. However, it is also recommended that a compliant organisation regularly consult with a QSA to discuss their strategies and understand how their growing business needs/changes may impact their compliance.
If you would like to know more regarding how we are assisting our customers with PCI DSS, please contact our QSA’s at info@xcinaconsulting.com.
References
PCI DSS Glossary — PCI Resources
SecurityMetrics, “PCI DSS Compliance: A Resource for Merchants and Service Providers to Become Compliant”. Seventh Edition (2022).
PCI Security Standards Council, “Information Supplement: Guidance for PCI DSS Scoping and Network Segmentation, May 2017”. 2017.