E-commerce is a huge commercial realm, with some 2.14 billion digital buyers worldwide by the end of 2021.
At the heart of e-commerce is the ability to keep payment card data secure during online transactions, and at the heart of payment card security is PCI compliance.
Technically PCI compliance is not required by law, but it has been considered mandatory in court rulings, and credit card companies require it for merchants to process online transactions. So compliance is essential for any company that wishes to take advantage of e-commerce, which is just about every company there is.
Compliance begins by determining the scope of compliance your organization should achieve with the Payment Card Industry Data Security Standards (PCI DSS). The PCI DSS scope is a combination of technologies, individuals, and processes that affect the flow of cardholder data (CHD).
Another step is to consider your PCI compliance level, which is a set of thresholds based on the number of card transactions you handle per year. That level determines the requirements that apply to your organization. They are:
- Level 4. Fewer than 20,000 transactions processed annually. The organization can complete a self-assessment questionnaire (SAQ) instead of an external audit.
- Level 3. Between 20,000 and 1 million transactions processed annually. Level 3 also allows the merchant to complete an SAQ instead of an external audit.
- Level 2. Between 1 and 6 million transactions processed annually. Level 2 merchants can complete an SAQ instead of an external audit, but they must also complete and submit a report of compliance (RoC) to the banks that process the organization’s payments (acquiring banks).
- Level 1. More than 6 million transactions processed annually. For these organizations, an on-site assessment must include an external audit by a qualified security assessor (QSA) or an internal security assessor (ISA) and submit an RoC to the organization’s acquiring banks.
PCI DSS compliance is not only needed to access payment service providers. Implementing PCI DSS controls provides security to your users and minimizes reputational risks in case of data breaches.
In addition, PCI DSS project planning can be vital to protecting your stakeholders from future operational risks. Backed by a dedicated PCI compliance manager, PCI compliance can substantially reduce the burden on cybersecurity and compliance teams.
Key Elements of the PCI Scoping Exercise
In 2016, the PCI Council published its Guidance for PCI Scoping and Network Segmentation, due to the struggles of companies implementing PCI DSS. For example, without correct identification of cardholder data (CHD) flow, companies were expected to include all system components within the scope of PCI. This requirement was unnecessary, costly, or even impossible for some organizations.
This article can help you get started with the correct identification of the PCI scope. Organizations can adapt, modify, or add new elements within the PCI DSS assessment.
Identification of CHD Reception Methods
Determine all payment channels and methods by which cardholder data is collected, from receipt by the organization to destruction or transfer.
Identification and Tracking of CHD Flows
Document all CHD flows, including the people, processes, and technologies related to storing, processing, and transmitting this sensitive information. These elements are part of the Cardholder Data Environment (CDE).
Identification of Accessory Components to the CDE
Identify all business and technical processes, systems, and personnel that can interact with the CDE. All of these elements are known as “security-impacting systems” and are considered part of the PCI scope due to their connection and potential impact on the security of the CHD.
Implementation of Scope Reduction Controls
Minimize the contact of the CDE with other processes, components, or personnel not essential for CHD processing. Implement controls to segment the CHD and sensitive authentication data (SAD) from individuals who aren’t part of the CDE.
Implementation of Applicable PCI Requirements
Based on the components, processes, and people determined to be in scope, implement the appropriate controls and requirements.
Maintenance and Monitoring
Implement controls to assure the stability and effectiveness of tools and processes related to PCI DSS. It’s also necessary to evaluate the scope as changes are made to CDE systems, processes, and personnel.
What Does it Mean to ‘Close a PCI Scope’?
As described in the Guidance for PCI Scoping and Network Segmentation, not all elements of an IT infrastructure have to be within the PCI scope. Unfortunately, mismanagement of data flows can link more services than needed. “Closing” the PCI scope is simply the set of strategies, controls, and solutions you use to reduce PCI scope within an organization.
The primary benefit of closing the PCI scope is lower cost: you don’t need to protect systems that aren’t involved in cardholder data security. Additionally, reducing the number of elements involved in the CDE systems reduces the risk of data breaches. Finally, lowering the PCI DSS scope can simplify monitoring and compliance by reducing the number of processes, individuals, or components.
How Do I Lower My PCI Scope?
While every organization has a different CDE, here are some best practices to help lower your organization’s PCI scope.
Get Rid of Unnecessary CHD
It isn’t always necessary to store cardholder data. Instead, use cardholder discovery tools to find misplaced CHD or CHD you didn’t know you had, eliminate this information, and implement measures to prevent these events from occurring.
Network segmentation is one of the most effective practices to minimize PCI scope within your organization. This is the separation of CHD storage, transmission, and processing systems from systems that do not have these roles.
This segmentation can be done physically by impeding the ability to connect between systems that are part of the CDE and external systems. It can be done logically employing firewall and router rules that prevent this contact.
Tokenization is the process of converting sensitive pieces of data into tokens to avoid compromising user information. These tokens can replace credentials in payment processing and even login credentials (although these must be created initially under the PCI DSS password requirements).
Deployment of P2PE Solutions
Point-to-point encryption (P2PE) solutions allow effective encryption and protection of cardholder information. Through this method, the data can only be decrypted by solution providers, and none of the transit points are allowed access to the unencrypted data.
Finally, some organizations specialize in protecting and processing this information securely on behalf of their clients and can help minimize the PCI scope of your organization. These services include log monitoring and management, server hosting facilities, and data solutions as gateways.
ZenGRC & PCI Compliance Go Hand-in-Hand
ZenGRC is a user-friendly and intuitive governance, risk management, and compliance platform. It provides insightful reporting and dashboards, automated workflows, and document storage so you have optimal visibility and are always audit-ready.
ZenGRC provides you with a solid basis for IT compliance. It allows you to track the progress of your program over time to assure that you remain compliant and prevent non-compliance fines. Stakeholders, staff, and PCI compliance managers can all access a single source of truth that covers all of your current and future PCI compliance requirements.
Schedule a demo today to learn more about how ZenGRC can help your PCI compliance program.