PCI Scope Reduction: Understanding the Process

June 15, 2018

PCI Compliance, a Modern Approach: Audit Scope Reduction

Companies who stay within PCI scope when handling cardholder data have to deal with high maintenance costs and lengthy compliance certification processes - which is why many businesses seek to reduce their scope.

PCI DSS requirements are meant to ensure that your cardholder data environment (CDE) is secure from rest to transfer. That begs the question - how much of that environment can you safely outsource?
We can start by looking at the specifics of PCI scope.

What is PCI scope?

The PCI Security Standards Council’s Data Security Standard (PCI-DSS) guidelines require that organizations processing and/or storing credit card data comply with a set audit criteria in twelve areas of cardholder data security and privacy.

Since the inception of PCI-DSS, the industry has learned that both achieving and maintaining PCI compliance is expensive, challenging, resource-intensive, time-consuming, and disruptive. Given this, PCI may be a barrier to entry into new markets or revenue streams, depending on the resources and focus of the business.

Most processors will require some form of PCI Attestation and in-depth self-assessments to access payment processing back-ends. Resources expended upon security and compliance initiatives are resources that cannot be applied to bringing a new capability to market. But without adequate information security, companies also cannot build trust with consumers and partners.

Given the data flow of cardholder information and payment card data, data is often collected, stored, transmitted, and used within several different applications across an organization — applications that often have different management goals and PCI security postures.

Many applications extend beyond the traditional data center and into the cloud, across SaaS providers, or to additional processing services.
In practice, an organization can be compliant but still suffer security challenges 2018 data breaches have shown.

PCI compliance by itself is not enough to prevent data breaches. Threats to consumer data have become increasingly sophisticated. In fact, attackers have matured in their motivations and are going after data they can monetize, finding vulnerabilities however they can. This can include payment card data beyond credit card numbers. Information like names, date of birth, and addresses can all be monetized.

Meanwhile, successful payments businesses are increasingly nuanced, leveraging a deep understanding of their consumers, building mutually valuable relationships. This requires being mobile first, cloud first, and data-driven — the digital transformation of all areas of business. As the business grows, more systems and applications are potentially brought into the PCI scope. But the risk landscape increases as well.

Information security should not be this cost-prohibitive or time-consuming for businesses and e-commerce startups. Reducing their PCI scope is one way to lessen costs and impact the security of their consumers’ payment card data and other sensitive information.

Reducing Your PCI Scope

Managed security service providers (MSSP’s) or, more accurately, Compliance as a Service (CaaS) is a relatively new approach to compliance. CaaS leverages platform expertise and economies of scale to cost-effectively reduce an organization’s security risk while also reducing the audit-able footprint of sensitive data with applications and systems.

How does scope reduction work? VGS’s is a platform of data protection capabilities. One of the essential technologies is tokenization.

Tokenization is a technique that replaces all the sensitive data in an application, such as credit card numbers, with tokens. This data protection and audit scope reduction technique is the foremost option recommended by the PCI DSS:

0*gW0vcscAA7lNtYPS

In other words, VGS’ tokenization solution can both store and transmit cardholder data securely without your company needing to touch the data itself. Our ability to store sensitive card data for your business in accordance with the PCI council standards means that VGS also takes on the liabilities of keeping that data. This method reduces your PCI DSS scope and allows you to spend more time and money on your business instead of compliance.

Secure Your Cardholder Data Environment with Tokenization

Organizations who have adopted tokenization on their own have found it increasingly difficult to maintain compliance and are faced with increasing complexity and rising costs resulting from conventional database centered solutions. Others may have a hosted tokenization but would benefit more from the expertise and economy of scale afforded by a managed data protection solution.

Advanced forms of tokenization, such as aliasing, are excellent methods of information security. Companies looking to reduce their compliance footprint while adhering to PCI DSS requirements may benefit from outsourcing the tokenization process or even a program that handles the data store process as well as the transmission.

In addition to tokenization, a quality compliance solution will also provide a secure vault to store your cardholder data. Take the VGS vault. We regularly test our system components and test the limits of our security - including performing penetration testing - in order to ensure our vault follows the highest information security requirements.

Consider CaaS for Your Next Data Protection Initiative

Compliance-as-a-Service is the modern approach to data security and secure data flows. A CaaS/SaaS solution provides you all the benefits of interacting with sensitive and regulated data without the liability of securing it.

This all comes with predictable spend, ranging from pay as you go (PAYG) options to customization options that cover just the surface area of data that you need, no more spend, no less. Allow your business to focus on its core competencies, focus on building nuanced relationships and product, and stop consuming resources on compliance.

gordon-young Gordon Young

Security Specialist

Share

You Might also be interested in...

Workstation Management teaser image

Workstation Management

Gordon Young July 2, 2018

Securing IOT: Stream Level Redaction teaser image

Securing IOT: Stream Level Redaction

Gordon Young May 27, 2018

Threat Modeling for Data Protection | Very Good Security teaser image

Threat Modeling for Data Protection | Very Good Security

Gordon Young May 24, 2018