Reducing the scope of the PCI DSS – don’t store the PAN

The best advice when dealing with cardholder data is always that ‘if you don’t need cardholder data, don’t store it’.

This will go a long way to reducing the scope and is easier to achieve than it might appear. There are several things you can do at this point.

Firstly, you can review each system to discover whether it should be involved in handling cardholder data or sensitive authentication data (SAD). For example, many businesses believe that they need all the cardholder data and SAD they collect for their accounting records or to track customer spending, but there is no business need in these circumstances to have the primary account number (PAN).

The PCI DSS and network segmentation

If you do not store the PAN, the Payment Card Industry Data Security Standard (PCI DSS) does not apply to that area of your organization and the scope of the assessment can be greatly reduced. Once you no longer store the data, you only need to worry about where it travels across the network.

Although the Standard does not require network segmentation, it is a highly advisable practice to reduce scope.

The PCI DSS defines network segmentation as an isolated network segment that cannot affect the security of cardholder data even if it’s compromised. Segmentation can be either physical or logical. Note that components and software used to achieve segmentation are within scope – for example, software used to manage a gateway between separate segments must be tested as part of the assessment.

Other ways to reduce scope

There are other ways to reduce scope and increase security. The organization could remove all wireless access to the cardholder data environment (CDE), as this presents a significant risk. If this is not possible for business reasons, then it is a good idea to put another firewall around the wireless local area network and restrict access to a bare minimum.

Restricting access to only what is needed to carry out the business task is one of the best ways of generally reducing the scope for PCI DSS purposes. One method of ensuring the minimum level of access is to look at inbound and outbound traffic separately and ensure that databases that only need to receive information from internal sources are not connected to a channel that brings in external data are not connected to an inbound channel – this may sound technical but is easy to understand by consulting your network diagram.

For e-commerce merchants, web page redirects to a service provider that manages payments on your behalf are an extremely effective way of reducing PCI requirements to a much simpler, easier-to-follow set than if the merchant processes cardholder data on their own.

Storing tokens instead of PANs can also help to reduce the amount of cardholder data in the environment, potentially reducing the merchant’s PCI DSS requirements.

If your organization uses PIN-entry devices (PEDs), then you could consider using point-to-point encryption (P2PE). These solutions effectively move the organization’s entire network out of scope and reduce the number of requirements to meet compliance from 246 to just 19.

Although investing in a new hardware solution will involve an up-front investment, the long-term cost of compliance will be drastically reduced. It is important to emphasise that an assessor will need to validate the scoping conclusions as part of the compliance audit, and that you must have adequate justification for asserting that a component is out of scope.

Attend our free PCI DSS webinar

For more advice on reducing the scope of your CDE and how you can justify it in your documentation, join us for our free webinar: PCI DSS: Reducing the cardholder data environment next Friday. You’ll learn:

  • Which system components, people, and processes need to be included in the scope
  • How to create an accurate data flow diagram to map the movement of cardholder data
  • What to include when mapping the IT infrastructure and external connections
  • Effective methods for reducing the scope of your CDE

This webinar takes place on Friday, June 1, 2018, at 10:00 a.m. (EDT). If you can’t make it, the presentation will be available to download from our website, where you can also browse our other PCI DSS webinars.

Register to attend this webinar >>