5 Ways to Reduce Your PCI DSS Scope

Alastair Stewart
|
Senior Consultant at URM
|
PUBLISHED on
9 Aug
2022

Almost all organisations that implement the Payment Card Industry Data Security Standard (PCI DSS) struggle with the scope of the applicability of the Standard. Even veterans of PCI DSS compliance can struggle with scope creep over time as an organisation’s networks evolve.

So, it should be no surprise that scope reduction is one of the most effective and practical ways of ensuring you continue to comply with the PCI DSS.  The focus of this blog is to look at a number of the most common scope reduction techniques which can help you to reduce the time, money, and resource burden of meeting PCI DSS requirements.

1: Segmentation

This first technique is the obvious first step for organisations looking to reduce scope.  Whilst it is not a requirement of the PCI DSS, network segmentation is highly recommended by the PCI Security Standards Council (SSC) and virtually every PCI QSA!  The key with network segmentation is to either have separate physical networks to prevent any possibility of segmented systems coming into scope or if you are using logical segmentation (such as VLANs) to ensure a correct configuration that prevents out-of-scope systems from connecting to in-scope ones.

2: Outsourcing

This is also a very common technique, especially with e-commerce platforms.  This could be considered a form of physical segmentation as you simply outsource part or all the payment channel to a third party. The important thing to remember with outsourcing is that you cannot outsource responsibility for compliance.  As a merchant, you are ultimately responsible for protecting the cardholder data and must ensure that any third parties involved are fully compliant with any relevant requirements.

3: Encryption

Encryption may not appear to be a scope reduction technique at first glance, as it is usually seen as a security control; however, in the opinion of the PCI SSC and many PCI QSAs, it is one of the best methods for reducing scope. In simple terms, if you encrypt the cardholder data everywhere within your systems, whether it is at rest (stored) or in transit (being transmitted) then any system or device that cannot decrypt the data can ‘most likely’ be considered out of scope. You do need to be careful, however, that any system or device deemed to be out of scope is not providing security services to another in-scope system or device.

4: Data removal

It may be stating the obvious, but if you remove any stored cardholder data, you will reduce your PCI DSS scope.  Many organisations, however, do overlook this potential solution.  The advice from the PCI SSC is very straight forward – If you don’t need it, don’t store it. The difficult part in removing cardholder data is ensuring you have located all of it!  In older environments, cardholder data has a way of finding itself in all sorts of unexpected places such as text files, log files, memory dumps, application logs, legacy databases, backups etc etc.

5: Enlist qualified support

There is a host of more subtle techniques for reducing scope, but a lot of these will vary according to your specific payment channel and network infrastructure, e.g. whether network jump-boxes are used to control access or whether payment channels are consolidated onto a single platform. The tricky bit is determining whether the different techniques will reduce scope significantly enough to be worthwhile. That’s where consultants and PCI QSAs can add value by analysing your specific situation (e.g. infrastructure and business objectives) and identifying the most appropriate techniques for reducing your scope and ensuring you remain compliant!

Alastair Stewart
Senior Consultant at URM
Alastair is one of the most experienced and proficient Payment Card Industry Qualified Security Assessors (PCI QSAs) in the UK. He has completed in excess of one hundred successful reports on compliance (RoCs) against different PCI DSS versions along with supporting the completion of self-assessment questionnaires (SAQs).
Read more

Rapid Penetration Test Quote

Do you need support in meeting your annual PCI DSS penetration testing requirements? CREST-accredited URM can complete internal and external penetration tests for your organisation.
Thumbnail of the Blog Illustration
Information Security
Published on
11/4/2024
PCI DSS v4.0: Network Security Controls

URM’s blog explains the wording changes in Requirement of the PCI DSS v4.0, offering advice on how organisations can select and use the most appropriate NSCs.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
5/8/2022
What Are the Merchant Levels

We are often asked, both by those new to PCI DSS and those who have been involved for a while....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
5/8/2022
PCI DSS Reduction and Assessment

The Payment Card Industry Security Standards Council (PCI SSC) defines scoping as “the process of identifying all system components....

Read more
It was an interesting presentation since we had the updated standard released last week. Thanks
Webinar 'Abriska 27001 Risk Assessment'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.