• Product
      • circleROAR Platform
      • cogwheelZenComply
      • lockZenRisk
      • globeZenGRC Platform
      • chartRisk Intellect
      • kes tagPricing
    • Solutions
      • By Industry
        • TechnologyTechnology
        • Financial ServicesFinancial Services
        • HospitalityHospitality
        • HealthcareHealthcare
        • GovernmentGovernment
        • Higher EducationEducation
        • retailRetail
        • MediaMedia
        • InsuranceInsurance
        • ManufacturingManufacturing
        • Oli & GasOil & Gas
      • By Framework
        • PopularPopular
          • ISO
          • PCI
          • SOC
          • COSO
          • SSAE 18
        • PrivacyPrivacy
          • CCPA
          • GDPR
        • HealthcareHealth Care
          • HIPAA
        • GovernmentGovernment
          • NIST
          • FedRAMP
          • FERPA
          • CMMC
          • FISMA
        • FinanceFinance
          • SOX
          • COBIT
    • Success
      • customer-successCustomer Success
    • Resources
      • Resource CenterResource Center
      • Reciprocity CommunityReciprocity Community
      • NewsroomNewsroom
      • EventsEvents
      • BlogBlog
      • Customer StoriesCustomer Stories
      • Content RegistryContent Registry
    • Company
      • About UsAbout Us
      • Contact UsContact Us
      • CareersCareers
      • Leadership
      • Trust CenterTrust Center
      • PartnersPartners
      Get a Demo

        PCI Scope: What Is it & Best Practices

        Published December 13, 2021 • By Reciprocity • Blog
        Customer stand near bar counter make payment use contactless credit card close up hands device view, cashless method pay bills in commercial places concept.

        E-commerce is a huge commercial realm, with some 2.14 billion digital buyers worldwide by the end of 2021.

        At the heart of e-commerce is the ability to keep payment card data secure during online transactions, and at the heart of payment card security is PCI compliance.

        Technically PCI compliance is not required by law, but it has been considered mandatory in court rulings, and credit card companies require it for merchants to process online transactions. So compliance is essential for any company that wishes to take advantage of e-commerce, which is just about every company there is.

        Compliance begins by determining the scope of compliance your organization should achieve with the Payment Card Industry Data Security Standards (PCI DSS). The PCI DSS scope is a combination of technologies, individuals, and processes that affect the flow of cardholder data (CHD).

        Another step is to consider your PCI compliance level, which is a set of thresholds based on the number of card transactions you handle per year. That level determines the requirements that apply to your organization. They are:

        • Level 4. Fewer than 20,000 transactions processed annually. The organization can complete a self-assessment questionnaire (SAQ) instead of an external audit.
        • Level 3. Between 20,000 and 1 million transactions processed annually. Level 3 also allows the merchant to complete an SAQ instead of an external audit.
        • Level 2. Between 1 and 6 million transactions processed annually. Level 2 merchants can complete an SAQ instead of an external audit, but they must also complete and submit a report of compliance (RoC) to the banks that process the organization’s payments (acquiring banks).
        • Level 1. More than 6 million transactions processed annually. For these organizations, an on-site assessment must include an external audit by a qualified security assessor (QSA) or an internal security assessor (ISA) and submit an RoC to the organization’s acquiring banks.

        PCI DSS compliance is not only needed to access payment service providers. Implementing PCI DSS controls provides security to your users and minimizes reputational risks in case of data breaches.

        In addition, PCI DSS project planning can be vital to protecting your stakeholders from future operational risks. Backed by a dedicated PCI compliance manager, PCI compliance can substantially reduce the burden on cybersecurity and compliance teams.

        Key Elements of the PCI Scoping Exercise

        In 2016, the PCI Council published its Guidance for PCI Scoping and Network Segmentation, due to the struggles of companies implementing PCI DSS. For example, without correct identification of cardholder data (CHD) flow, companies were expected to include all system components within the scope of PCI. This requirement was unnecessary, costly, or even impossible for some organizations.

        This article can help you get started with the correct identification of the PCI scope. Organizations can adapt, modify, or add new elements within the PCI DSS assessment.

        Identification of CHD Reception Methods

        Determine all payment channels and methods by which cardholder data is collected, from receipt by the organization to destruction or transfer.

        Identification and Tracking of CHD Flows

        Document all CHD flows, including the people, processes, and technologies related to storing, processing, and transmitting this sensitive information. These elements are part of the Cardholder Data Environment (CDE).

        Identification of Accessory Components to the CDE

        Identify all business and technical processes, systems, and personnel that can interact with the CDE. All of these elements are known as “security-impacting systems” and are considered part of the PCI scope due to their connection and potential impact on the security of the CHD.

        Implementation of Scope Reduction Controls

        Minimize the contact of the CDE with other processes, components, or personnel not essential for CHD processing. Implement controls to segment the CHD and sensitive authentication data (SAD) from individuals who aren’t part of the CDE.

        Implementation of Applicable PCI Requirements

        Based on the components, processes, and people determined to be in scope, implement the appropriate controls and requirements.

        Maintenance and Monitoring

        Implement controls to assure the stability and effectiveness of tools and processes related to PCI DSS. It’s also necessary to evaluate the scope as changes are made to CDE systems, processes, and personnel.

        What Does it Mean to ‘Close a PCI Scope’?

        As described in the Guidance for PCI Scoping and Network Segmentation, not all elements of an IT infrastructure have to be within the PCI scope. Unfortunately, mismanagement of data flows can link more services than needed. “Closing” the PCI scope is simply the set of strategies, controls, and solutions you use to reduce PCI scope within an organization.

        The primary benefit of closing the PCI scope is lower cost: you don’t need to protect systems that aren’t involved in cardholder data security. Additionally, reducing the number of elements involved in the CDE systems reduces the risk of data breaches. Finally, lowering the PCI DSS scope can simplify monitoring and compliance by reducing the number of processes, individuals, or components.

        How Do I Lower My PCI Scope?

        While every organization has a different CDE, here are some best practices to help lower your organization’s PCI scope.

        Get Rid of Unnecessary CHD

        It isn’t always necessary to store cardholder data. Instead, use cardholder discovery tools to find misplaced CHD or CHD you didn’t know you had, eliminate this information, and implement measures to prevent these events from occurring.

        Network Segmentation

        Network segmentation is one of the most effective practices to minimize PCI scope within your organization. This is the separation of CHD storage, transmission, and processing systems from systems that do not have these roles.

        This segmentation can be done physically by impeding the ability to connect between systems that are part of the CDE and external systems. It can be done logically employing firewall and router rules that prevent this contact.

        Tokenization

        Tokenization is the process of converting sensitive pieces of data into tokens to avoid compromising user information. These tokens can replace credentials in payment processing and even login credentials (although these must be created initially under the PCI DSS password requirements).

        Deployment of P2PE Solutions

        Point-to-point encryption (P2PE) solutions allow effective encryption and protection of cardholder information. Through this method, the data can only be decrypted by solution providers, and none of the transit points are allowed access to the unencrypted data.

        Third-Party Outsourcing

        Finally, some organizations specialize in protecting and processing this information securely on behalf of their clients and can help minimize the PCI scope of your organization. These services include log monitoring and management, server hosting facilities, and data solutions as gateways.

        ZenGRC & PCI Compliance Go Hand-in-Hand

        ZenGRC is a user-friendly and intuitive governance, risk management, and compliance platform. It provides insightful reporting and dashboards, automated workflows, and document storage so you have optimal visibility and are always audit-ready.

        ZenGRC provides you with a solid basis for IT compliance. It allows you to track the progress of your program over time to assure that you remain compliant and prevent non-compliance fines. Stakeholders, staff, and PCI compliance managers can all access a single source of truth that covers all of your current and future PCI compliance requirements.

        Schedule a demo today to learn more about how ZenGRC can help your PCI compliance program.

        Why sign up for the Risk Insiders newsletter?

        To stay in the know! Get new blogs, resources, CPE opportunities, industry research & more — direct to your inbox.

        Thank you for subscribing to the Risk Insiders newsletter!

        Recommended

        Image
        5 Steps to Become PCI Compliant
        man standing at the top of a stairwell with terms PCI Evidence Scope Requirements and Controls overlay
        PCI DSS

        5 Steps to Become PCI Compliant

        Read more
        Image
        Cybersecurity Awareness Month: Don’t get Caught! How Phishing Attacks Ca...
        Cybersecurity Awareness Month: Phishing
        Compliance

        Cybersecurity Awareness Month: Don’t get Caught! How Phishing Attacks Can Sink Your Organization

        Read more
        Image
        How To Use CPS 234 To Reduce Risk To Your Financial Data
        APRA CPS 234 SCF 2022 Cross-industry prudential standard
        Compliance

        How To Use CPS 234 To Reduce Risk To Your Financial Data

        Read more

        Discover the Power of the Reciprocity ROAR Platform

        Get a Demo
        Reciprocity Logo
        Product
        • ROAR Platform
        • ZenComply
        • ZenRisk
        • ZenGRC Platform
        • Risk Intellect
        • Pricing
        Solutions
        • Industries
        • Frameworks
        Success
        • Customer Success
        Resources
        • Resource Center
        • Reciprocity Community
        • Newsroom
        • Events
        • Blog
        • Customer Stories
        • Content Registry
        Company
        • About Us
        • Contact Us
        • Careers
        • Leadership
        • Trust Center
        • Partners
        Contact Us
        Contact Us

        © 2023 All rights reserved

        Privacy Policy