In Depth
Lightening the PCI Load: Solutions to Reduce PCI Scope
Expert guidance on saving time and money by carefully scoping PCI validation efforts
By David Mundhenk and Ben Rothke
Why is this important? What does this have to do with the overall costs and impacts of PCI compliance? Or even their potential impact to existing or future projects? Let's take another look at what was written in the authors' article, A Guide to Practical PCI Compliance.
"Some merchants have constructed their POS applications and associated infrastructure with an aggressive eye toward reducing costs at every turn. Often, this infrastructure has evolved and co-mingled with non-PCI systems that may have been designed with little or no thought given to protecting sensitive information. If there is little or no separation between the PCI and non-PCI systems then the DSS requirements will apply to all of the systems within this environment."
Many clients are bewildered to find out that their payment-processing environment contains both PCI and non-PCI systems. What is worse is that often there are very few if any of the required security controls in place. What this means is that all of PCI DSS requirements and quite possibly all of the PCI Report on Compliance (RoC) audit criteria may apply to the entire network / IT environment? That means they would have to implement firewalls, IDS, authentication mechanisms, system hardening, logging, monitoring, auditing and alerting resources for total environment.
In truth, that would be a great thing. From a security perspective, what's good for a PCI network is good for a non-PCI network. The previous scenario would mean that PCI would apply to everything in the environment. Also the lack of segregation between the two increases the potential time and cost of a PCI assessment.
The issue is that in an environment where there is inadequate separation and protections between PCI systems and non-PCI systems, the PCI requirements apply to all systems, personnel and processes in that environment. Addressing PCI requirements for all systems in an environment, even those that have nothing to do with PCI, would be extremely cost prohibitive and could bankrupt an organization. So what is the next step? How can this be properly remediated? Once again, from A Guide to Practical PCI Compliance:
"Reducing the scope of a PCI assessment is often advocated when the recommended changes to the environment have become cost prohibitive or will adversely impact the business or organizational mission. In such instances, it's reasonable to consider moving the PCI systems into their own dedicated environment and limiting their interaction with non-PCI technology. This helps reduce the number of critical systems to be reshaped into compliance and will enhance security by placing them in a controlled and monitored environment."
PCI
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
- Beyond PCI Checklists: Securing Cardholder Data with Enhanced File Integrity Monitoring
- Credit Issuers: Stop Application Fraud at the Source with Device Reputation
- CSO's Guide to Security and Compliance
- Understanding Data Location is Imperative for Data Loss Prevention
- FISMA and FDCC Compliance: Millennium Challenge Corporation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
