Although it might sound straightforward, scoping a PCI assessment can be a challenge even for experienced organizations. Experts offer their best advice for avoiding PCI missteps.
Any organization that accepts, processes, stores or transmits payment cards must show they’re compliant with the Payment Card Industry Data Security Standard (PCI DSS), and to do that, the organization must undergo an annual PCI assessment.
This assessment, or audit, is meant to confirm that the organization meets the PCI DSS security and control requirements.
Although the standards are prescriptive, how they fit into each organization can vary as the people, processes and technologies used to handle payment card data in each organization are unique.
As a result, each organization must scope its PCI assessment to ensure it’s considering all the pieces of its infrastructure and internal structure that handle or can in any way access payment card data.
“Scoping is understanding all the pieces that need to be assessed; it’s looking at the people, technology and processes that touch the card data,” says Gracie Pereira, a managing director of cybersecurity and privacy at Accenture, with a focus on the financial services industry.
Although it might sound straightforward, scoping a PCI assessment can challenge even experienced organizations, experts say. They note that it’s not uncommon for executives to miss places within their enterprise that connect with payment card data in some way — and thus may inadvertently exclude those places from the assessment and, perhaps more importantly, may exclude them from the needed security standards and controls.
For instance, some organizations may mistakenly think that if their call centers only take but don’t store payment card data that those systems are outside the scope of the assessment. Or they might not consider their voice recordings of payment card transactions as systems that need to be secured according to PCI DSS.
“Some assume just because payment card data flows through that they don’t have to be PCI compliant,” says Andi Baritchi, a director with KPMG’s Cyber Security Services and its PCI lead director, noting that this kind of faulty thinking can cause big problems. “Improper PCI scoping has been a key contributor to a lot of breaches.”
To help avoid such missteps, experts offer the following advice for scoping a PCI assessment:
Start with a self-assessment to determine requirements
Any organization with a merchant number, which is issued by the organization’s payment processor, will need to be PCI compliant.
However, assessment requirements vary based on the annual volume of transactions processed by a merchant (as the organizations handling the payment card data are known in the PCI world).
For example, some organizations need to engage a Qualified Security Assessor (QSA) — an independent security company qualified by the PCI Security Standards Council to validate an organization’s adherence to PCI DSS — while others can use an Internal Security Assessor (ISA) program.
Similarly, organizations will need to determine which PCI Self-Assessment Questionnaire (PCI SAQ) could apply to them based on their own payment card volume and processes.
There are four PCI compliance levels: Level 1 applies to merchants that process more than 6 million card transactions a year, level 2 is for those processing 1 to 6 million annually, level 3 is for those handling between 20,000 and 1 million, and level 4 is for those processing fewer than 20,000 transactions annually.
Kathy Ahuja, who as vice president of global compliance and IT for the cloud-based identity and access management
“Then you really need to decide how your policies and procedures align with the PCI standards; you need to align your internal controls to meet the PCI categories of controls,” she says.
Know where card data goes
Experts say they advise CISOs to map their processes so they can confirm how payment card data is being collected, who and which systems have access to it, how its stored and how and where it’s transmitted. CISOs should also ensure that they have their processes properly documented as part of this step.
“You have to understand the flow of the data, because once you understand that, you know where to eliminate risk,” says Candy Alexander, international president of the Information Systems Security Association (ISSA) as well as CISO and executive consultant at NeuEon Inc.
Experts say CISOs should use this part of the scoping exercise to get full visibility into where payment card data resides in their organization; that means confirming that it’s where it should be and seeking to uncover where it resides but shouldn’t.
“Understanding where data is — including places where it shouldn’t be — is a very important part of the scoping exercise,” says Jonathan Care, a research director at Gartner, adding that data discovery tools are critical to helping find that data wherever it might be.
Care says he once conducted a forensic investigation for a British hotel and discovered a decade’s worth of payment card data on the financial director’s computer; the director explained he downloaded it just in case he needed it.
Care notes that payment card data lurking in such unanticipated places “can be the enemy of compliance.”
Limit risks to reduce scope
The PCI Security Standard Council offers guidance on scoping and network segmentation, outlining the differences between “in scope” (systems directly involved with, connected to, or that impact cardholder data security) and “connected-to” (those systems that connect to the cardholder data environment, or CDE) and then those systems that do not have access to the CDE and are thus “out of scope.”
As such, experts say network segmentation (not required but effective when done properly) can help organizations reduce the systems that touch the CDE thereby limiting the scope of the PCI assessment and, more to the point, reducing risk.
Alexander says CISOs should take their cue from this guidance, devising ways that they can reduce risk associated with payment card transactions and the scope of their PCI assessment. In fact, she advises organizations to outsource card processing to vendors who specialize in the work whenever possible. She points to her work with one organization that was able to redirect the entire payment process to a vendor, leaving the company free to just ship its products “which was its business anyway.”