What is PCI scope reduction?
Adhering to the PCI DSS can be a significant challenge for some organisations. Meeting the requirements of the Standard will absorb your organisation’s energy and resources. While scope reduction is not an explicit requirement, all those involved with compliance recommend it as one of the best methods for achieving compliance affordably and effectively.
A PCI DSS scope assessment will help you to correctly identify the extent of your Cardholder Date Environment (CDE), including:
- Where card data sits on your systems (both in terms of hardware and software); and
- All the organisational processes that come into contact with payment card data and when they come into contact with this data.
This will help to determine key areas where payment card data can be removed from your payment and business processes and suggest appropriate solutions to help reduce the number of systems that are in scope. By reducing the scope, you may be able to reduce your PCI assessment and reporting requirements.
Our PCI consultants are ready to offer you practical advice on areas where payment card data can be removed from your payment and business processes, and suggest appropriate solutions to help reduce the number of systems in scope.
Did you know?
When undertaking a PCI DSS assessment, whether it is an audit (ROC) or self-assessment questionnaire (SAQ), it is critical to ensure that the scope is correct. Without an understanding of the scope, systems may be overlooked, and insufficient security controls applied.
Inaccurate scoping can put an organisation at risk. Numerous breaches have occurred via systems and networks incorrectly determined to be out of scope.
Benefits of a PCI scope reduction service
Our PCI scope reduction service, will help you to:
- Identify how to isolate system components that store, process or transmit cardholder data;
- Restrict access to only what is needed to carry out the business task;
- Advise on the use of cryptographic tools and solutions;
- Operate point-to-point encryption (P2PE) that can effectively remove systems out-of-scope;
- Employ technical solutions such as tokenisation to stop cardholder data from being stored in your environment; and
- Outsource payment card processing.
Is a PCI scope reduction service right for you?
If you are responsible for implementing the PCI DSS in your organisation, you should ask yourself:
- Is your organisation processing, storing or transmitting payment cardholder data unnecessarily?
- Have you established where card data enter the organisation? How it is handled internally? Where it leaves the organisation?
- Does your organisation use network segmentation to reduce the number of components in scope?
- Could you utilise technologies such as tokenisation and encryption?
Our engagement process
The service typically involves several days on-site for our QSAs to meet with the managers who oversee the PCI DSS programme; key staff involved in network administration and cardholder systems; and the individuals responsible for company procedures and policies.
- Pre-assessment information gathering: Our consultants will discuss the requirements of the PCI scope reduction exercise and agree the roles for the engagement.
- Assessment and Analysis: During this step, we will confirm the CDE and confirm the different types of cardholder data that are flowing through the organisation as well as the technologies that impact the CDE.
- Post-assessment: A report will provide recommendations necessary to reduce the scope. This will provide advise on the segmentation controls to isolate the CHD and any other recommended solutions.
Find out more about our PCI DSS Scope Assessment and Reduction service >>
"IT Governance were very professional and pragmatic in their approach, and displayed a level of understanding of our business that we found unique and refreshing.”
Damien Everard, COO of Appletree.