How sure are you that your company’s data security falls outside of PCI scope? Did you know that even if your application never keeps cardholder data in persistent storage, you still might have to meet the PCI Data Security Standard’s stringent requirements.
The problem is that while PCI DSS compliance is more important than ever, it is often cost prohibitive and can take several months to complete. The initial internal audit alone may take much longer than you think, since there are many ways your system can unintentionally come into PCI scope.
Here are three ways your application can bring you into PCI scope without you ever storing a credit card number.
Collecting Cardholder Data in a Website or Mobile Application
If your website or app has inputs for the user to enter credit card information, your client-facing code has access to the data as it is entered. This puts the data at risk from any vulnerabilities in your code or the libraries it depends on. Your client-side code is therefore in PCI scope.
However, it’s not just credit card data that can bring you back into PCI Scope. Unsecured user inputs that request sensitive data for any task, such as identity verification or shipping information, can also be at risk.
The Solution: Filters and Operations
It’s possible to safeguard your users’ data at collection and improve PCI DSS compliance scope through installing a series of filters and operations.
A filter is a set of rules that describe when and how data should be segmented or operated on as it is collected and transmitted. These predefined rules decide which data should be tokenized and put into a data vault, and which can be stored on your systems.
An operation is a specific action that can alter your data stream. For example, you can choose to redact certain information for cardholder data protection.
When your cardholder data flows through a series of securely designed filters and operations, that data is secured, redacted, and often tokenized. This makes it more difficult for hackers to obtain and provides an extra layer of security.
However, for true PCI DSS scope reduction, you’ll want to incorporate other elements such as aliasing, network segmentation, and outsourcing your data security storage.
Passing Cardholder Data Through Your Network
You may be avoiding storing card numbers by sending them to a tokenization service via its API. However, your network falls under PCI scope if it is responsible for transporting PCI-sensitive data in and out of your systems. You need to bring your network to PCI compliance, and, for Level 1 certification, pay for an auditor’s time to verify your PCI DSS compliance status.
While you may have state-of-the-art firewalls to protect your network, this is unfortunately not enough to reduce your PCI scope. You’ll need to audit your entire network and how they communicate if you really want to begin narrowing down your scope.
The Solution: Network Segmentation and Outsourcing
To further reduce your PCI scope, you need to reduce the number of systems that touch your sensitive data. Network segmentation for security and outsourcing certain data collection and storage services are two possibilities.
Let’s start with network segmentation. A typical mistake organizations make is setting a firewall at the edge of their system without considering how networks interact within it. Network segmentation allows you to separate your internal systems that collect, transmit, and store cardholder data or other sensitive information from other systems. This not only improves your cardholder data protection, but may also help you reduce your PCI scope as you limit which systems are in your cardholder data environment.
You can even outsource these systems to data security providers to ensure that your systems don’t touch the data at all. At VGS, we call this the Zero Data approach. The idea is that your systems never need to touch the raw sensitive data at all, thus shifting the liability of PCI DSS compliance to your data security partner.
Displaying Cardholder Data
Are you generating virtual cards or showing sensitive data to your consumers? Just like collecting card data from a user places you in PCI scope, so does displaying it back to them. The scope is wider if you are displaying card data on your internal systems, such as for customer service representatives. Any security hole in your code becomes an attack vector.
This is also true for any bugs or malicious code in third party or open source code you’re using. Furthermore, anyone with access to the system could steal PCI data by taking a screenshot of it, printing it out, or simply writing it down. Your internal network, hardware, software, and personnel management policies are now in PCI scope.
The Solution: Tokenization
Encryption is yesterday’s news - today you need to seriously consider tokenization if you want to reduce your PCI scope. While security protocols like encryption can be useful, they can also be reverse-engineered. Aliasing, a form of tokenization, cannot.
With aliasing, sensitive data is replaced by a random token. This prevents hackers from seeing the original data, whether they try to intercept it during transit or while it’s at rest. However, you can still use the sensitive data as if it were in its raw format.
Combined with outsourcing your systems, tokenization may be able to take you completely out of PCI scope. Not only will you never need to touch the data, but you also won’t need to see it. An outsourced aliasing and storage solution can help you reduce costs and break risk even though you can still seamlessly use the data.
Take Yourself Out of Scope
PCI DSS compliance can be time-consuming and expensive. The last thing you want is to discover during an audit that you're more in scope than you thought. The good news is, you have several options for reducing your scope. Filters and operations, network segmentation, tokenization, and outsourcing are all tools that allow you reduce your compliance footprint while maintaining a high degree of data security.
Are you spending too much time struggling with compliance and not enough on your business? Our team is happy to answer any and all questions you may have about your compliance journey.
