Home » Data Protection » PCI and Compliance

In Depth

Lightening the PCI Load: Solutions to Reduce PCI Scope

Expert guidance on saving time and money by carefully scoping PCI validation efforts

By David Mundhenk and Ben Rothke

Page 5

So it is technically feasible to consider re-architecting a given business, organizational structure, and IT environment to reduce the scope, impact, and overhead of PCI compliance requirements. Doing this does not conflict with the spirit and principles of the PCI DSS and in fact should be emphatically encouraged. Let's now review this further.

In scope vs. Out of scope

So what does it mean to be in or out of scope with respect to PCI compliance? This concept is perhaps one of the most confusing in PCI to some and is even marginally understood by many others. It is often stated that simply not storing or processing cardholder data on a given system will render it out-of-scope for PCI compliance. The authors have heard this assertion time and time again, even from people who should know better.

Consider this question: if a system is involved in the processing and transmission of cardholder information, but simply stores the transaction information in RAM temporarily until the authorization process is completed, does this mean that the system is considered to be out-of scope for PCI? The answer is absolutely not.

The system should still have been constructed from a standardized, hardened build. It should still have anti-virus and malware protection implemented with logging if vulnerable to such, should have its user and group accounts managed properly, provide authentication with proper protections and mechanisms including robust passwords, log all administrative system access, and ensure that any cardholder information is purged from within log files, trace files, history files, application files, etc.

These are all requirements for systems processing cardholder information, regardless of whether or not it is storing cardholder information on a hard drive or temporarily within RAM. Not storing cardholder data on a hard drive reduces the overall scope for PCI compliance, but does not exempt systems from being compliant with other relevant PCI requirements. This may sound intuitively obvious to the reader, however, this particular misnomer surfaces often.

Principles of reducing scope

The quickest and easiest way companies can limit the scope of their PCI requirements is to segment their networks so that cardholder data and those systems that process it are isolated. Another method is to outsource cardholder data processing and storage as described within Gartner's Limiting the Scope of Payment Card Industry Audits and Liability.

In general, some of the core principles of reducing the scope of PCI compliance are as follows:

Outsourcing Data Storage—While it is great to do it yourself, companies should consider, where possible, the outsourcing of their PCI transaction processing to PCI-compliant service providers that can securely manage their payment processing and record keeping needs. Keep in mind that outsourcing payment processing and data storage does not absolve an entity from the responsibility to process payments on behalf of the business in a PCI compliant fashion. The merchant or business still owns and is responsible for meeting this requirement; irrespective of whether or not these processes are outsourced.
Segmentation—Network segmentation is perhaps the best way to limit scope. The challenge with this approach is that until recently the PCI SSC has not provided a clear and concise definition of network segmentation. The PCI SSC has provided enhanced clarification in PCI Requirements and Security Assessment Procedures version 1.2, but ultimately defers to the QSA to render judgment on such distinctions. Different PCI QSA's interpret this differently, adding to the challenge of PCI compliance. At a minimum, segregation should entail logical separation between networks via router and switch ACL's, as well as involve the separation provided by a stateful firewall. The optimal solution is to provide physical separation between networks.
Economies of scale—For many companies credit card payments are a small part of their overall operations. If they can minimize where card data is stored they can measurably decrease the risk of a breach. This in turn helps to reduce their PCI scope. Another example of this concept is to build all servers and other systems based upon hardened operating system images. This helps to reduce subtle variations across platforms and can enhance recovery times for systems that need to be re-configured. Doing so also reduces maintenance costs, potential system downtime and the overall complexities of managing a heterogeneous environment.
Securing the isolation—Deep inspection firewalls, user access management and content monitoring and filtering should be deployed to isolate systems that store or process card data. We also recommend vulnerability scans and penetration tests after every significant change to the environment.