PCI Compliance Footprints: 7 Ways To Simplify Compliance, Reduce Risk And Save Money
Posted by David Gamey on 22 Nov 2016.
While you may have heard of carbon footprints and ecological footprints, you might not be aware that there is such thing as a PCI Compliance footprint which potentially affects you. Put simply, a compliance footprint provides a measure of the impact of compliance obligations on your business.
Who Should Be Concerned About Their PCI Compliance Footprint?
If your organization operates in the payment card space, whether you accept payments as a merchant, process payments, issue cards, or provide services to such organizations, then you have compliance obligations. Understanding your compliance footprint goes beyond understanding those obligations. It provides you with a way to measure
- How much of your business is directly and indirectly subject to compliance requirements
- The cost and effort of sustaining PCI compliance
- The cost and effort required to validate PCI compliance
- The cost and effort of remediation for any out of compliance systems and processes that are either directly or indirectly subject to PCI compliance
- Potential unnecessary risk your organization bears in handling card data
- Potential opportunities for efficiencies and compliance simplification
The core idea isn’t new, variously it’s been at the heart of “Scope Reduction” (misleading and overused), “Requirement Applicability” (wordy and vague), and “Compliance Simplification” (better but still vague). Ultimately the motivation for this is to reduce risk and expense, and to ensure that compliance is both defensible and sustainable.
Understanding How It Works
Scope Determination is the key process of understanding how all processes and technologies use and interact with card data. Think of the entire company being initially in scope and going through a series of exercises to validate excluding systems and processes. This process of out-of-scope-validation helps define a defensible scope.
A critical gotcha for many organizations is the “connected to” rule which can drag entire companies into PCI scope. Consider a company with a single unsegmented infrastructure. Let’s say there are 1000 computers, phones, and devices on that big flat network. Let’s also say there are 20 devices that are directly involved with payment card data. Management may have an expectation that the scope is close to those 20 devices. Under PCI’s scoping rules, all 1000 devices are subject to PCI DSS. That’s a 98% indirect and only a 2% direct obligation. Furthermore, with upwards of 250 individual reporting instructions in a PCI onsite audit which includes a large percentage that needs to be measured over the entire inventory of technology and processes, the effort to prepare, operate, sustain, and validate such an environment rapidly escalates. That’s a huge compliance footprint!
Ways To Reduce Your Footprint
It should be clear that looking at an annual audit that needs to cover nearly 250,000 points instead of 5,000 is totally unsustainable. Now in reality there are common techniques applied to reduce this. Compliance monitoring solutions make it easier to measure the compliance of large footprints as they can gather vast arrays of data and provide useful dashboards as well as other benefits. Auditing techniques like sampling can also reduce the number of data points. However, these only go so far and at the end of the day, the footprint is still huge. Any organization looking for more gain needs to attack their compliance footprint through a mix of business process redesign and technology changes.
Here are some ways to reduce your compliance footprint.
- Segmentation and Isolation is a practical necessity for organizations with large compliance footprints. In the example above the addition of strong segmentation and some changes to user and support processes can dramatically reduce the footprint. This truly is scope reduction.
- Purging unneeded data is another excellent technique. If an organization can eliminate the storage of card data many of the PCI DSS requirements will no longer apply. All storage, even transient storage, must be eliminated. This simplifies compliance.
- Devaluation techniques such as tokenization and truncation are techniques which can be used where a complete purge is not possible.
- Specialized environments and technology use cases can create PCI efficient architectures since not all PCI requirements apply to all components. The PCI DSS Self-Assessment Questionnaires provide examples of accepted use cases such as e-commerce, hardware terminals, and P2PE solutions with strict eligibility tests that simplify compliance.
- Outsourcing allows an organization to outsource their footprint or portions of it. The company will still be responsible for compliance of the organizations they outsource to, but their foot print can be reduced to some specific governance and due diligence requirements.
- Encryption can also be used to simplify compliance but there are some caveats. Validated P2PE solutions can keep “connected to” systems out of scope. Other encryption solutions with appropriate validation can also help simplify compliance.
- Using standardized system builds, and updating system components to simplify inventory can simplify sampling requirements. PCI requires representative sampling of the cardholder data environment. In addition, to operationally efficiency issues a large number of diverse builds and operational versions of systems can drive up sampling levels and effort.
The above techniques can help organizations reduce their compliance footprint, save money, and reduce risk.
- Data is a Toxic Asset
- 1041 What is the scope of a PCI DSS assessment for a network that is not segmented?
- 1178 How do I reduce the scope of a PCI DSS assessment?
- 1323 Are disaster-recovery (DR) sites in scope for PCI DSS?
- 1300 How does PCI DSS apply to payment terminals?
- 1279 How does using a PA-DSS validated application affect the scope of a merchant's PCI DSS assessment?
- 1115 How does PCI DSS apply to individual PCs or workstations?
- 1154 Is pre-authorization account data in scope for PCI DSS?
Encryption and Scope
- 1252 Do all PCI DSS requirements apply to every system component?
- 1133 Why are there multiple PCI DSS Self-assessment Questionnaires (SAQs)?
- 1331 Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for onsite assessments?
- 1443 What is the intent of the SAQ eligibility criteria?
See the FAQ Search page for more like these.