How to properly scope a PCI assessment

PCI is both a globally recognized standard and a lightening rod for discussion.

In recent weeks, I’ve engaged in conversations exploring the scope of PCI assessments. On twitter, the discussion focused on the need to include everything in scope, as a means to force companies to improve security. Contrast that with a recent column explaining the benefit to speed, price, and quality of properly scoping your PCI assessment (read it here).

Based on those discussions of scope, I turned to three experts I rely on to offer their insights on scoping in PCI, and how to do it right: Jeff Man, Security Strategist & Evangelist at Tenable (@MrJeffMan, LinkedIn), Joan Pepin, VP of Security/CISO of Sumo Logic (@CloudCISO_Joan, LinkedIn), and Dr. Branden Williams, CTO, Cyber Security Solutions at First Data (@BrandenWilliams, LinkedIn).

I went to them because, collectively, these three experts have written books, given presentations, and guided others based on their own work and experience in the field. What they share is a primer for security leaders on making the right scope decisions for your environment.

What does it mean to “scope” your PCI assessment?

While the vast majority of companies subject to PCI are only required to self-report on compliance, what happens when you need to hire a Qualified Security Assessor (QSA)?

They need to know what systems to assess. That’s the scope of the assessment.

Jeff Man points out the purpose of scope in terms of PCI is to define the systems for review by your QSA or the person completing the self-assessment paperwork for the annual review and validation. What some people don’t realize is that the scoping exercise includes two related aspects: determine the cardholder data environment (CDE) and identify the systems to be reviewed during the PCI assessment.

Branden Williams chimed in, “Take it seriously. Don’t try to fool yourself with half truths around what should be in and what should be out of scope. When in doubt, keep it in.”

This applies whether you hire a QSA or not.

Have you considered the scope for your PCI assessment?

Why you need to scope your PCI assessment

Should you scope your PCI assessment?

“Not only should you - it is your responsibility. The QSAs are not responsible for scoping your environment” explained Jeff.

More to the point, as Branden asks, “If you don’t scope, how do you know where non-PCI stops and PCI starts?”

The nuance, easy to overlook, is the distinction between scoping your environment and scoping (or de-scoping) for the assessment.

Jeff shared three basic steps to consider before engaging in the scoping process:

1. Understand what type of entity you are and the level. Are you a merchant or a service provider? Do you need to hire a QSA to perform the validation assessment?

2. Identify where cardholder data (CHD) is present in your environment (this is where visual diagrams of information transmitted, processed, and stored helps - and is required)

3. Once you understand how CHD flows through your network, you can determine if/how to isolate the CHD environment. This is what comes into play during the scoping.

As Joan explained in this article, it takes time and effort to segment your network(s) properly. In her experience, it’s entirely worth it. She adds, “I believe in, and vigorously maintain, a very high wall between production and corporate environments, and never the twain shall meet. This is critical in keeping our CHD safe. To keep something safe, you must know where it is, how much of it there is, who has access to it, and how it works.”

After answering these questions, consider your approach to scoping your environment.

How to approach scoping your environment

Joan leads off, explaining “it’s really important that you know your business, know your environment, and have a very clear understanding of your boundaries and data flow.”

Reiterating the previous 3 points (last slide), Jeff points out “Don’t assume your employees “would never do that” actually answer the question of who could gain access to the data if they wanted to or tried to or simply stumbled upon it.”

Jeff explains the real benefit of scoping, “reducing the footprint, controlling the flows of data, etc. to something more manageable.” It’s not an exercise in reducing the assessment. Instead, it’s a way to think about and design your environment to process, transmit, and store CHD (or other information of value).

In the process, consider the risks and benefits of working with third parties. The caveat is ensuring they are adequately protecting CHD while providing the service you expect. The right third party enhances your efforts and eases your compliance.

Getting the right scope with your environment eases the process of scoping your assessment.

What if you don’t properly scope your assessment?

Jeff chimed in “As assessors and security professionals I’m afraid we are becoming co-dependents for so many companies that are more busy/interested in trying to find short cuts around sound security practices rather than simply engaging in said practices.”

What happens when you work to scope the assessment based on budget, timeframe, or both?

As Branden put it, “Bad things happen down the road. A poorly scoped assessment rarely bites you in the moment, but it will manifest itself in glorious fashion down the road.”

Jeff agreed. Then asked,  “If so many security professionals think the PCI DSS is, at best, the bare minimum security best practices one should be implementing in their environment, then why do so many companies struggle with meeting the requirements and more importantly sustaining their compliant state over the twelve months between assessment periods?

Because too many companies expend too much effort on de-scoping rather than practicing basic security best practices over their entire enterprise.”

That means investing the time to properly scope your environment instead of scrambling to de-scope the assessment. Focus on where and how the CHD is processed, transmitted, and stored. If you get that scoped properly, the assessment is scoped naturally.

What if you leave too much in scope?

Some companies take an approach to classification where everything is classified as “private” or the like. The natural result is that when everything is private, little actually is. It’s confusing and costly.

How does that work for scoping your assessment?

This is where our experts have some different opinions.

Jeff said, “I think most, if not all companies would benefit greatly from simply applying the PCI DSS to their entire environment in the first place and stop worrying about “limiting scope” and trying to save a buck in the near term. The risk they are taking is the compromise or breach that is too often happening.”

Joan acknowledged the point, but questioned, “Do we really need to follow the same change control process for our corporate email server as we follow with our production CDE?” She pointed out the need to match the controls to the task.

Branden explained, “Leaving too much in adds cost to your assessment and maintenance costs. In some cases, it could add security controls to systems that may not normally live under that level of scrutiny. In rare cases, it could actually weaken your defense position as PCI is only a baseline that is well below the capabilities of hackers today.”

Working with your QSA

You scoped. Now what?

Everyone agreed that selecting the right QSA means the start of a partnership. As Joan pointed out in this article, choose wisely. Make sure the QSA understands your environment is someone you trust working with.

Branden explained that “Good QSAs do not typically draw lines in the sand where you are either in or out. They tend to look closely at risks and provide many potential solutions to compliance problems.”

Kick off with an overview and discussion about scope and responsibilities. As Jeff points out, “I would expect a QSA to push back on the claims of segmentation of the cardholder data environment. They should ask probing questions about “the usual suspects” of alternative data flows (beyond authorization and settlement) such as post-settlement activities (chargebacks, disputes, fraud) or customer loyalty programs, or other common efforts.”

While you likely signed an agreement that stipulates the QSA is not responsible for the accuracy of your scope, they ask because they care.

A good scope, good selection, and good working relationship is an opportunity to draw on their experience to get it right, advocate for necessary changes, and improve the security (and compliance) of your systems.

Getting the right scope, benefit from PCI

Jeff noted, “The PCI DSS was originally drafted to be a measure of a company’s information security program not as simply the security measures taken to only a subset of systems within the enterprise.”

Embraced the approach of focusing on the security of your environment first, compliance second. Done right, you get the benefit of complying with multiple compliance standards at the same time (yes, sometimes it takes some work).

Invest the time to understand and scope your environment. Instead of viewing PCI as an event, something to be dealt with as quickly and cheaply as possible, look for the opportunities to include security in the process -- earlier. Bake security in.

In the process, it improves your security posture by incorporating it into the routine. And that means when it comes time for the PCI assessment, you’re likely to experience a better assessment with stronger overall results.

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)