If your company stores, processes, or transmits cardholder data, you need PCI DSS compliance. According to the Verizon 2020 Payment Security Report, within the financial and insurance industries, 30% of breaches were caused by web application attacks, primarily driven by external threat actors using stolen credentials to obtain access to sensitive data stored in the cloud.
PCI DSS compliance can be an expensive proposition for financial institutions and transaction processors that cannot get rid of cardholder data (CHD). However, ordinary merchants can reduce the scope with foresight, thus lowering the complexity and cost of compliance.
PCI is designed to protect cardholder data and can serve as the baseline for a more comprehensive cyber-risk management program.
PCI DSS Compliance – Cost Reduction
PCI DSS is a data security standard covering the people, processes, and technologies that store, process, or transmit cardholder data. That means everything - computer, data center, database, and pin pad; the list goes on...
But worse, everything connected to the same network that processes, stores or transmits CHD is in-scope. Any security controls you use to protect the card data or to maintain PCI DSS compliance that's all in scope.
If you are not careful, the scope can grow exponentially, and you are dealing with PCI DSS compliance across your whole organization. Then, for everything that got sucked into scope, you have the hundreds of controls in the PCI DSS standard that you need to enforce on all those devices, buildings, and people.
Cost increases relative to scope. There is an easier way – scope reduction.
Five Ways to Reduce the Scope of PCI DSS Compliance
One - Network Segmentation
Network segmentation is the key method of minimizing PCI scope. Proper segmentation enhances security by separating the network so that there are cardholder data environment (CDE) zones, shared services zones, and out-of-scope zones.
Network segmentation is more than just implementing virtual LANs (VLANs). Those VLANs must include rules or access control lists (ACLs) that restrict access and traffic so that out-of-scope zones have no access to PCI zones. Only shared services zones can communicate with CDEs and out-of-scope zones.
The PCI Security Standards Council has an excellent information supplement on their Website that delves into all of the details of network segmentation. Anyone interested in the topic should read it.
Reference – PCI Security Standards Council - Guidance for PCI DSS Scoping
and Network Segmentation
Few organizations have a valid business reason to store an encrypted primary account number (PAN). In particular, there is no good business reason that any merchant should be holding encrypted PAN anymore.
Tokenization is when a token replaces the primary account number (PAN). The security of an individual token relies on the infeasibility of determining the original PAN, knowing only the token value.
Storing tokens instead of PANs is one alternative that can help to reduce the amount of cardholder data in the environment, thus reducing the merchant's effort to implement PCI DSS requirements.
- Tokenization solutions do not eliminate the need to maintain PCI DSS compliance but simplify efforts by reducing scope. Tokens are not considered cardholder data.
- Tokenization solutions vary greatly. Companies should perform a thorough risk analysis on the implementation when considering tokenization.
The key for clients wishing to reduce their PCI DSS scope is not storing, processing, or transmitting cardholder data unless required for business, legal, or regulatory purposes. If you don't need it, don't store it! If you don't keep the data, attackers can't steal it.
Because tokenization reduces your environment's sensitive data, achieving PCI DSS compliance is more manageable.
Reference - PCI Security Standards Council - PCI DSS Tokenization Guidelines
Three – Point-to-Point-Encryption (P2PE) or End-to-End Encryption (E2EE)
Point-to-point encryption (P2PE) or end-to-end encryption (E2EE) solutions lead to cost reductions by reducing the number of networks and systems in scope and cost of their PCI DSS compliance effort. If you encrypt and then tunnel the data from approved devices direct to the payment processor, attackers can't touch it!
The critical difference between P2PE and E2EE solutions is the speed at which scope reduction is granted. P2PE solutions are immediately given scope reduction without approval from an acquiring bank. An E2EE solution such as VeriShield from Verifone or TransArmor from First Data requires the merchant to certify that the E2EE solution is correctly implemented to their acquiring bank. Since the acquiring banks provide 95% of E2EE solutions, this asking for scope reduction just requires the merchant to ask their acquiring bank for scope reduction for the E2EE solution.
Four - Use services and equipment that are already PCI compliant
For example, use a payment processor to host the card data collection for you. If you outsource card data handling correctly, your PCI DSS burden is reduced to managing the risks associated with using that vendor. Attackers can't steal it from you if you never even had it!
However, be aware that outsourcing to third parties does not remove your organization's PCI compliance requirements; it merely reduces them.
Five - Outsource compliance to the experts.
Whether you're looking for help achieving PCI DSS compliance or need verification by a Qualified Security Assessor (QSA), Truvantis can help. The solutions you choose and the vendor you partner with can leverage compliance into an opportunity to achieve your goals.
We will work with you to find products and technologies that fit your specific organization and goals while ensuring you fulfill your compliance requirements along the way. That's the advantage of working with a vendor that profoundly understands the PCI DSS requirements and can translate them into concepts that are best suited for your specific technology stack.
PCI DSS compliance can be expensive. You can reduce effort and cost by relying on a vendor to deal with it for you. Let them deal with compliance so you can invest in your business. The Truvantis® team comprises PCI DSS experts and Qualified Security Assessors with extensive experience as a trusted partner for compliance and validation.
Outsource your payments, segment your networks, tokenize your data, use P2PE/E2EE solutions – all are great ways to reduce your costs. But the devil is in the details – contact Truvantis to make sure you get it right.