PCI DSS dissected: Reducing your cardholder data environment

A version of this blog was originally published on 26 November 2012.

The requirements of the Payment Card Industry Data Security Standard (PCI DSS) should be considered the starting point of security. The Standard doesn’t cover everything that organisations can do to protect payment card data, but it does cover everything that they should do, such as put in place the appropriate procedures, policies and work practices.

Still, many organisations don’t see the PCI DSS that way: the majority fail their initial assessment or fall out of compliance less than a year after achieving it. Although the most vigilant organisations go above and beyond, it’s clear that the majority need to first focus on the Standard.

This blog provides a closer look at the PCI DSS, with advice to help you comply with its requirements.

Scope your cardholder data environment

You can reduce the stress on your organisation by limiting your cardholder data environment (CDE), i.e. the places where sensitive information is stored. The PCI DSS requires organisations to take specific measures to protect their CDE, so it’s beneficial to make it as small as possible.

To do this, you should minimise processing and transmitting activities to only the essentials. You will be able to identify what’s essential and what’s not by analysing the way data flows through your organisation. This requires up-to-date network documentation and knowledge of the organisation’s processes.

You’ll start where data enters your organisation, e.g. through the Internet and onto the network or via phone lines, the postal system or fax. Following the data’s movement from its entry point, through the organisation and to its resting place, exit point or destruction will help you identify the components involved in processing, storing and transmitting cardholder data.

This analysis should cover both active data flows and the processing and storage of backup media.

Handling cardholder data

The systems involved in cardholder data include not only hardware and software but anything connected to the CDE. This includes employees who handle the data, phone calls, post, fax, infrastructure maintenance and administration of servers. It also covers any third parties (i.e. service providers) that process, store or transmit cardholder data on your behalf. Think, for example, of IT support staff who have administrator rights to firewalls, routers or servers.

Where data isn’t

Your focus should be on where you expect cardholder data to be stored, but you should also take the time to make sure data isn’t hiding in unlikely places. For instance, perhaps a data analyst created a spreadsheet containing sensitive information and left it on their desktop.

To make sure your analysis is thorough, you need to apply data discovery techniques. Each identified location should match the data flow analysis results. Any mismatch shows cardholder data is being held in unidentified locations that aren’t part of the normal data flow.

There’s much more to learn

A data flow analysis is only part of the process. You also need to document your reasons for reducing the scope of the CDE, as auditors will use it for reference.

For more advice on reducing the scope of your CDE, and how you can justify it in your documentation, join us for our free webinar: PCI DSS: Reducing the cardholder data environment.

You’ll learn:

  • Which system components, people and processes need to be included in the scope;
  • How to create an accurate data flow diagram to map the movement of cardholder data;
  • What to include when mapping the IT infrastructure and external connections; and
  • Effective methods for reducing the scope of your CDE.

This webinar takes place on Friday, 1 June 2018 at 3:00 pm (BST). If you can’t make it, the presentation will be available to download from our website, where you can also browse our other PCI DSS webinars.