While you may have heard of carbon footprints and ecological footprints, you might not be aware that there is such thing as a PCI Compliance footprint which potentially affects you. Put simply, a compliance footprint provides a measure of the impact of compliance obligations on your business.
If your organization operates in the payment card space, whether you accept payments as a merchant, process payments, issue cards, or provide services to such organizations, then you have compliance obligations. Understanding your compliance footprint goes beyond understanding those obligations. It provides you with a way to measure
The core idea isn’t new, variously it’s been at the heart of “Scope Reduction” (misleading and overused), “Requirement Applicability” (wordy and vague), and “Compliance Simplification” (better but still vague). Ultimately the motivation for this is to reduce risk and expense, and to ensure that compliance is both defensible and sustainable.
Scope Determination is the key process of understanding how all processes and technologies use and interact with card data. Think of the entire company being initially in scope and going through a series of exercises to validate excluding systems and processes. This process of out-of-scope-validation helps define a defensible scope.
A critical gotcha for many organizations is the “connected to” rule which can drag entire companies into PCI scope. Consider a company with a single unsegmented infrastructure. Let’s say there are 1000 computers, phones, and devices on that big flat network. Let’s also say there are 20 devices that are directly involved with payment card data. Management may have an expectation that the scope is close to those 20 devices. Under PCI’s scoping rules, all 1000 devices are subject to PCI DSS. That’s a 98% indirect and only a 2% direct obligation. Furthermore, with upwards of 250 individual reporting instructions in a PCI onsite audit which includes a large percentage that needs to be measured over the entire inventory of technology and processes, the effort to prepare, operate, sustain, and validate such an environment rapidly escalates. That’s a huge compliance footprint!
It should be clear that looking at an annual audit that needs to cover nearly 250,000 points instead of 5,000 is totally unsustainable. Now in reality there are common techniques applied to reduce this. Compliance monitoring solutions make it easier to measure the compliance of large footprints as they can gather vast arrays of data and provide useful dashboards as well as other benefits. Auditing techniques like sampling can also reduce the number of data points. However, these only go so far and at the end of the day, the footprint is still huge. Any organization looking for more gain needs to attack their compliance footprint through a mix of business process redesign and technology changes.
Here are some ways to reduce your compliance footprint.
The above techniques can help organizations reduce their compliance footprint, save money, and reduce risk.
PCI Scope FAQs:
PCI Encryption and Scope FAQs:
PCI Applicable Requirement FAQs:
See the FAQ Search page for more like these.
Original Publication: 2016-11-26
Updated PCI FAQ & Learn More links: 2023-06-16