In Depth

Lightening the PCI Load: Solutions to Reduce PCI Scope

Expert guidance on saving time and money by carefully scoping PCI validation efforts

By David Mundhenk and Ben Rothke

Gartner notes that brick-and-mortar merchants that outsource electronic data storage must still encrypt or otherwise protect data transmitted from POS terminals to outsourced service providers. This can be difficult to achieve with legacy and proprietary equipment. They also note that where possible, merchants should outsource electronic data storage to PCI-compliant service providers that manage payment processing and record keeping for them.

Another good example of reducing PCI scope is a retail business that has multiple locations containing numerous POS systems. At the end of the business day they send the aggregated results of all daily transactions (including credit cards) back to a corporate HQ server across dedicated private network connections. PCI DSS requires implementation of intrusion detection systems (IDS) and firewalls to protect cardholder data being stored, processed or transmitted.

While the business has deployed stateful firewalls at each retail location, it may be cost prohibitive for the business to deploy IDS at every location. An effective, optimized solution to help meet this requirement includes routing-VLAN configurations and controls that restrict access between the retail store PCI locations. In essence all data flows are restricted to originate from the retail locations directly back to the corporate PCI compliant data center environment.

Both firewall-based segmentation and IDS is then implemented at that single communication aggregation point into the corporate network infrastructure. In this scenario, PCI-based event logging requirements would still apply for all PCI systems at their corporate and retail locations; the costs of implementing the required Intrusion Detection capabilities, however, would be significantly less.

Conclusions

At its heart, PCI is Information Security 101. Within the framework of Information Security 101, the objective is to reduce the overall risk to business assets and to protect the privacy of employees and customers. This article attempted to provide some additional clarification surrounding this often very contentious topic.

Reducing the scope of an organization's PCI environment, especially with the appropriate network segmentation, provides the necessary security controls and reduces the potential risk to critical business assets including cardholder information.

Most importantly and when possible, reducing the scope of the applicable PCI requirements also reduces potential resource enhancement implications and their associated expenses. This can be achieved all while preserving the overall security of critical business assets including cardholder information. ##

David Mundhenk, CISSP, PCI-DSS & PA-DSS QSA, QPASP (stratamund@sbcglobal.net) is a Security Consultant with a major professional services firm.

Ben Rothke CISSP, QSA (ben.rothke@bt.com) is a Security Consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill Professional Education).

• Email
• Print
• Comments
• Digg This
• SlashDot

• PCI Application Security: Who's Guarding the Data Bank?
• A Tale of Two PCI Security Audits
• PCI's Post-Audit Pain Points
• Security at the Point of Sale
• All About the PCI Data Security Standard