Learn how to reduce PCI scope in your business and protect your cardholder data.
Many businesses find it difficult to get PCI DSS compliant. There are so many requirements, and depending on the size of the business, filling out Self-assessment Questionnaires (SAQs) can take a lot of time and effort.
SEE ALSO: Top Ten PCI Requirement Failures: Where is Your Business Struggling?
So what can you do to help your business get compliant? A good place to start is finding and reducing your business’s PCI scope.
SEE ALSO: The Importance of the PCI DSS: Why You Should Get Compliant
What is PCI scope?Your PCI scope involves anything in your business that processes, stores, or transmits cardholder data, and anything that can initiate a connection to any of the systems that handle cardholder data.
Put simply, any device, process, or employee that involves credit card data is in your PCI scope, which means you are responsible to make sure that card data is properly secure.
Some common devices included in PCI scope can be
- POS systems
- QA systems
You’d be surprised how much credit card data your business is unknowingly storing and in some of the most random places.
SEE ALSO: How Much Credit Card Data do You Store? (It’s More Than You Think.)
Why reduce scope?Getting compliant with the PCI DSS can be an involved and difficult process; this is especially true for businesses that process and store a lot of card data. By reducing how much your systems come into contact with card data, your PCI validation type may change, which could reduce the overall amount of SAQ questions you’re required to answer and your total amount of work, saving time and money.
Besides saving money, reducing your scope helps ensure you’re keeping track of the card data your business processes and stores. This awareness gets you on the path to boost data protection measures.
SEE ALSO: Infographic: Reduce PCI Scope, Reduce Workload
Finding the scope in your businessThe first step to reducing scope is finding out all the places and ways your business could come into contact with cardholder data.
The key to determining your PCI scope is understanding how your business works.
- How do you record cardholder data?
- Where do you store the data?
- How do you manage your systems?
- How do you log into them?
- How do you backup your systems?
- How do you connect to get reports?
- How do you reset passwords?
There are often processes you don’t think of that could be included in your scope. For example, employees could be taking card numbers over the phone or receive emails with card information. There’s also power-outage procedures where card data may be manually taken down. Follow the paper trails in your business to make sure all card data is secured. Even if card data is 10 years old, it’s still in PCI scope.
Think about all elements on your system. Even if you believe something is out of scope, it may hold temporary files, log files, or back-ups with unencrypted data. Check your devices to make sure no hidden card data is lurking.
After you find your devices in scope, find everything that can communicate with them. If you have a server that handles cardholder data, think about what else connects with that server. Who has permission to access your card data and how do you transmit it?
Also think about how your employees interact with card data. Are they storing card data at their desks? Are they taking down credit card data over the phone? These types of issues need to be taken into account as well.
It takes more effort and time to secure all of your networks than to only secure the ones containing cardholder data. Keep the networks that handle card data separate from the ones that don’t. You can do this by installing firewalls between networks.
SEE ALSO: How Does Network Segmentation Affect PCI Scope?
Use limited access
Your janitor shouldn’t have the same access privileges as your accountant. Not all of your employees need access to cardholder data. By limiting access and having a hierarchy of employees who can handle card data, you reduce the amount of people interacting with the data. This boosts your security and makes PCI compliance a bit easier.
SEE ALSO: PCI Requirement 7: 5 Reasons You Should Limit Employee Access to Your Data
Outsource to third party
This may not work for every business, but if possible, it may be easier to outsource handling payments and card data to a third party. Examples include using tokens, or using business models like PayPal to ensure your company has minimal contact with cardholder data.
Keep in mind that if you do outsource your payment, you will still need to make sure the party you outsourced to is PCI compliant. You could still be held liable in the event of a data breach, should it be shown you didn’t make sure that party was compliant.
Protect your dataWhen it comes to PCI scope, protecting your card data should take top priority. You can’t do that unless you understand the way your business handles card data. It’s up to you to protect your cardholder data.
Need help with PCI compliance? Talk to our experts!