One of the hardest things to do in business is to have a clear understanding and comprehensive idea of the Payment Card Industry Data Security Standards (PCI-DSS).
Merchants, ISOs, and ISVs understand the importance of data security in this arena; however, they often misunderstand the nuances of what is truly involved in such a vital and complex effort. The key to success originates in a proactive stance with real-world policies and procedures that transcend the click of an annual attestation checkbox. These strategies should be organically baked into every business action. In contrast to the correct approach, this topic is widely viewed as an inconvenience, a burden, or an illegitimate fee on a processing statement until it is too late.
Considering the magnitude of this project, where are we to begin?
Defining PCI Scope
Draw a line in the sand!
Defining PCI Scope is a foundational bedrock upholding the development and maintenance of any comprehensive PCI-DSS program.
Here is what you should be thinking:
Break out the Visio and capture the entire infrastructure into at least two high-level diagrams: the Network Diagram and the Data Flow Diagram. Visually, these documents will serve as valuable tools to manage PCI Scope and serve as the evidence basis for developing the necessary policies and procedures. Document everything! Represent which items are “In Scope” (including “Connected To”) and which components are “Out of Scope.” Map the flow of cardholder data throughout the infrastructure.
At this stage, two primary techniques to reduce PCI scope will surface, Segmentation and Third-Party Service Provider Outsourcing. Reducing Scope means less cost, complexity, and risk. Still, it does not mean less responsibility. Merchants remain responsible for understanding their PCI Scope and Attestation of Compliance even if the entire cardholder data environment is outsourced to a qualified provider.
Every business should have these two diagrams on hand. Some will have little to no “In Scope” segments by leveraging qualified service providers with a seamless approach. Others will boast complex infrastructure designs with combined physical and logical controls to mitigate risk and demonstrate robust compliance initiatives. In either case, not understanding or thinking this is someone else’s responsibility is unacceptable. Build your diagrams and review them at least annually, but more often in frequency with a proactive mentality is the better approach.
You are not alone! Reduce Scope whenever possible by leveraging qualified service providers. Take control of your data security posture and enhance consumer confidence and safety!
Original Post: See it on LinkedIn
Date Originally Published: September 30, 2021
Date Updated: August 1, 2022