PCI compliance: 4 steps to properly scope a PCI assessment

Although it might sound straightforward, scoping a PCI assessment can be a challenge even for experienced organizations. Experts offer their best advice for avoiding PCI missteps.

A network of security components overlays a credit card payment made by laptop user.
Klingsup / Getty Images

Any organization that accepts, processes, stores or transmits payment cards must show they’re compliant with the Payment Card Industry Data Security Standard (PCI DSS), and to do that, the organization must undergo an annual PCI assessment.

This assessment, or audit, is meant to confirm that the organization meets the PCI DSS security and control requirements.

Although the standards are prescriptive, how they fit into each organization can vary as the people, processes and technologies used to handle payment card data in each organization are unique.

As a result, each organization must scope its PCI assessment to ensure it’s considering all the pieces of its infrastructure and internal structure that handle or can in any way access payment card data.

Gracie Pereira, managing director of cybersecurity and privacy, Accenture Accenture

Gracie Pereira, managing director of cybersecurity and privacy, Accenture

“Scoping is understanding all the pieces that need to be assessed; it’s looking at the people, technology and processes that touch the card data,” says Gracie Pereira, a managing director of cybersecurity and privacy at Accenture, with a focus on the financial services industry.

Although it might sound straightforward, scoping a PCI assessment can challenge even experienced organizations, experts say. They note that it’s not uncommon for executives to miss places within their enterprise that connect with payment card data in some way — and thus may inadvertently exclude those places from the assessment and, perhaps more importantly, may exclude them from the needed security standards and controls.

For instance, some organizations may mistakenly think that if their call centers only take but don’t store payment card data that those systems are outside the scope of the assessment. Or they might not consider their voice recordings of payment card transactions as systems that need to be secured according to PCI DSS.

“Some assume just because payment card data flows through that they don’t have to be PCI compliant,” says Andi Baritchi, a director with KPMG’s Cyber Security Services and its PCI lead director, noting that this kind of faulty thinking can cause big problems. “Improper PCI scoping has been a key contributor to a lot of breaches.”

To help avoid such missteps, experts offer the following advice for scoping a PCI assessment:

Start with a self-assessment to determine requirements

Any organization with a merchant number, which is issued by the organization’s payment processor, will need to be PCI compliant.

However, assessment requirements vary based on the annual volume of transactions processed by a merchant (as the organizations handling the payment card data are known in the PCI world).

For example, some organizations need to engage a Qualified Security Assessor (QSA) — an independent security company qualified by the PCI Security Standards Council to validate an organization’s adherence to PCI DSS — while others can use an Internal Security Assessor (ISA) program.

Similarly, organizations will need to determine which PCI Self-Assessment Questionnaire (PCI SAQ) could apply to them based on their own payment card volume and processes.

There are four PCI compliance levels: Level 1 applies to merchants that process more than 6 million card transactions a year, level 2 is for those processing 1 to 6 million annually, level 3 is for those handling between 20,000 and 1 million, and level 4 is for those processing fewer than 20,000 transactions annually.

Kathy Ahuja, who as vice president of global compliance and IT for the cloud-based identity and access management provider OneLogin is experienced in PCI assessment and compliance issues, says enterprise executives should begin their PCI scoping process by determining whether they qualify as a merchant or service provider, or both, and then determine the appropriate level based on number of transactions it handles annually.

“Then you really need to decide how your policies and procedures align with the PCI standards; you need to align your internal controls to meet the PCI categories of controls,” she says.

Know where card data goes

Experts say they advise CISOs to map their processes so they can confirm how payment card data is being collected, who and which systems have access to it, how its stored and how and where it’s transmitted. CISOs should also ensure that they have their processes properly documented as part of this step.

“You have to understand the flow of the data, because once you understand that, you know where to eliminate risk,” says Candy Alexander, international president of the Information Systems Security Association (ISSA) as well as CISO and executive consultant at NeuEon Inc.

Experts say CISOs should use this part of the scoping exercise to get full visibility into where payment card data resides in their organization; that means confirming that it’s where it should be and seeking to uncover where it resides but shouldn’t.

Jonathan Care, research director, Gartner Gartner

Jonathan Care, research director, Gartner

“Understanding where data is — including places where it shouldn’t be — is a very important part of the scoping exercise,” says Jonathan Care, a research director at Gartner, adding that data discovery tools are critical to helping find that data wherever it might be.

Care says he once conducted a forensic investigation for a British hotel and discovered a decade’s worth of payment card data on the financial director’s computer; the director explained he downloaded it just in case he needed it.

Care notes that payment card data lurking in such unanticipated places “can be the enemy of compliance.”

Limit risks to reduce scope

The PCI Security Standard Council offers guidance on scoping and network segmentation, outlining the differences between “in scope” (systems directly involved with, connected to, or that impact cardholder data security) and “connected-to” (those systems that connect to the cardholder data environment, or CDE) and then those systems that do not have access to the CDE and are thus “out of scope.”

As such, experts say network segmentation (not required but effective when done properly) can help organizations reduce the systems that touch the CDE thereby limiting the scope of the PCI assessment and, more to the point, reducing risk.

Alexander says CISOs should take their cue from this guidance, devising ways that they can reduce risk associated with payment card transactions and the scope of their PCI assessment. In fact, she advises organizations to outsource card processing to vendors who specialize in the work whenever possible. She points to her work with one organization that was able to redirect the entire payment process to a vendor, leaving the company free to just ship its products “which was its business anyway.”

Andi Baritchi, PCI lead director, KPMG KPMG

Andi Baritchi, PCI lead director, KPMG

Baritchi adds: “If you’re a small business, that’s one way you can reduce your PCI footprint.”

But he cautions CISOs against putting too much faith in outsourcing payment card processing and related PCI compliance. Depending on how the payment card data flows and how the transactions are structured, the initial organization may very well still need to be PCI compliant and will have to ensure its vendor is as well. Moreover, he stresses that the organization “always have a reputational risk if [the vendor] has a breach.”

Build a year-round PCI program

Many organizations generate a laundry list of remediations to take and improvements to implement during their annual PCI assessment. Instead of seeing such work as a once-a-year exercise tied to the certification process, experts recommend CISOs, compliance officers and their organizations build an ongoing program.

“There are many companies out there that look at PCI as a once-a-year thing, and that’s often the only time they look at their PCI posture. But to successfully manage that risk, you have to build a PCI program and understand your scope all year long,” Baritchi says.

He adds: “PCI isn’t about passing the audit once a year; it’s about protecting the customer data all year long. What if you open a new payment challenge two months after the audit and the CISO doesn’t recognize it?”

Baritchi says CISOs should have three different PCI scopes: what they think is the scope of processes, people and technology that touches payment card data, what it actually is once thorough process mapping and data discovery exercise are done, and a future state where security is improved and risks and costs are reduced through stronger ongoing governance.

As such, CISOs should ensure that they have policies and procedures in place to ensure that after the annual assessment is done that their organizations don’t inadvertently create or open up any vulnerabilities.

“It’s that ongoing security hygiene of protecting that scope that matters most,” Baritchi says. “PCI governance is key, and that has to be a business-as-usual activity.”

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)