Use segmentation and tokenisation to reduce the PCI DSS compliance burden

When Appletree Communications Ltd wanted to achieve Level 1 PCI service provider compliance status, the company’s main challenge was achieving it cost-effectively.

The best option for Appletree was to work with a partner that would provide them with good advice and careful guidance, enabling them to get down and do a large portion of the implementation themselves.  In that way, they would be able to maintain control over the PCI project while optimising costs and working at a pace that suited its business objectives.

Challenging PCI compliance requirements

The compliance burden for PCI DSS compliance can be vast. With a fairly small team, Appletree had limited resources to fulfil the requirements of the complex PCI Data Security Standard.

Companies usually seek ways to simplify and reduce the scope of the Payment Card Industry’s compliance requirements by shrinking the footprint where cardholder data is located. By reducing the scope, companies can dramatically lower the cost and anxiety of PCI DSS compliance and improve their chances of audit success.

Damien Everard, COO of Appletree, explains that the PCI compliance exercise helped them to harness open-source technologies to ensure that they met and even exceeded the PCI DSS’s requirements, in areas such as encryption and network transmissions security.

By segmenting the cardholder data environment, Appletree was able to ensure that the necessary systems and networks were taken into consideration.

Segregation of the network

“The compliance exercise also required us to rebuild our entire network in order to create a completely segregated network specifically for our cardholder data,” says Damien.

Eliminating payment data from your network is the best way to ensure that sensitive payment information is safe.

Tokenisation an added benefit

Appletree also decided to use tokenisation, which substantially increases security while reducing compliance costs by considerably diminishing the PCI compliance scope.

Tokenisation is the process of substituting sensitive data with a non-sensitive equivalent (a token) that has no meaning or value. With tokenisation, the sensitive PAN (primary account number) is replaced by non-sensitive tokens.  Tokens can be used by any file, application, database or backup medium, minimising the risk of exposing the actual sensitive data. The token is in no way related to the data value, and there is no way in which the data value can be retrieved from the token.

IT Governance’s QSA team helped Appletree Communications achieve Level 1 Service Provider PCI DSS compliance status at a budget and within a timeframe that worked for them.  Read the full case study here.

To find out more about IT Governance’s full range of PCI compliance and QSA services, visit our website.

PCI-DSS-Environment-Banner (2)