Home » Data Protection » PCI and Compliance

In Depth

Lightening the PCI Load: Solutions to Reduce PCI Scope

Expert guidance on saving time and money by carefully scoping PCI validation efforts

By David Mundhenk and Ben Rothke

April 06, 2009 — CSO —

In today's turbulent economic environment, every organization is doing its best to limit losses and manage costs. In a similar vein, when it comes to achieving and maintaining PCI compliance, one way to manage costs is to limit or reduce the scope of PCI requirements.

Doing so can help to significantly reduce the overall costs and resources required to successfully negotiate a compliant PCI audit. This article will help show how this can be done.

Getting it done

It happens to many businesses that process credit cards for payments. They get that dreaded, unanticipated letter—be it from their acquiring bank, card brand, other financial institution or payment processor—stating or even mandating that the business become compliant with the PCI Data Security Standard (DSS).

Suddenly, all of those years of ignoring information security quickly comes back to haunt them. For many of these businesses, 60 Minutes is not a news show; rather it's the amount of time they dedicate to information security on a monthly basis.

After these organizations have been served proper notification and given an expected target date for PCI compliance, they hear that compliance clock ticking. (Editor's note: See A Tale of Two PCI Audits.)Unfortunately, they soon realize that they do not have the in-house talent to properly identify and remediate their PCI compliance gaps. There also may be other planned and capitalized IT projects in the works that have stringent timeline requirements. How is it possible to add a major compliance remediation effort to an already filled IT plans and programs dance card?

If a business is processing credit card payments for goods or services, then PCI DSS becomes a mandatory industry requirement. In this instance management can do the right thing by rallying internal staff and pulling relevant management and technical personnel into a special project team to address these new requirements. The team concludes it would be best to hire a PCI Qualified Security Assessor (QSA) from an authorized firm to assess their business and IT environment.

Once the QSA (can be one or more assessors depending on the project scope) arrives on-site, they conduct interviews with key organizational personnel, conduct physical security inspections and personally review a representative sample of PCI system and network configurations. Following the on-site visit, the QSA will produce a report articulating the nature of the measured gaps with respect to the environment and all PCI requirements.

The team will then convene a post engagement meeting to review the results of the gap assessment. Generally this is done as a collective review, with concerns and anxieties shared by all the appropriate stake-holders. Often the client cannot believe there are so many PCI compliance issues to address. Every gap that is listed must be remediated in some fashion. All of those years of ignoring, or short-sheeting Information Security now becomes a major issue, along with the realization that this is going to be an expensive endeavor, likely impacting existing projects and putting a strain on existing staff.