Enough of PCI, how do we get our company out of scope?
For years now, your organization has been working on achieving and maintaining PCI compliance. Year after year, a Qualified Security Assessor (QSA) comes on-site to assess your environment. Sometimes, if you’re lucky, that QSA is the same person who came on-site last year to perform the assessment. If not, well, there’ll be a whole new set of findings that weren’t identified last year, and the team is going to have to jump through some hoops to achieve compliance again. After thousands of man hours over the years and the unexpected budget hits, you realize it’s time to make a change. You have two options:
1. Stop taking payment cards.
2. Implement PCI scope reducing and eliminating strategies.
Obviously, eliminating payment cards is not an option. A growing percentage of overall sales comes from payment cards so eliminating this will kill your business. Plain and simple, you should be introducing more channels for your customers to pay rather than eliminating them, no matter how painful these payment options may be to keep in compliance.
The only logical option that remains is reducing and eliminating the scope of PCI DSS controls within your environment. By reducing PCI scope, you’ll also ease the overall burden on your organization in specific, measurable ways:
- Reduced compliance costs
- Reduced operational costs
- Reduced breach risk and liability
What is “PCI scope?”
Scope is how the PCI Security Standards Council (PCI SSC) defines what parts of your environment must meet the control objectives stated within the PCI Data Security Standard (DSS). There are three components to defining PCI Scope: Storage, Processing, and Transmitting. So whatever assets store, process, or transmit payment card data are “in scope” for PCI Compliance. The best way to determine PCI Scope is to map how payment data flows throughout your environment to determine all the assets along the data flow which are subject to PCI Compliance and the DSS controls that ensure data is secured.
Why should you care about scope reduction?
You should care about Compliance Scope Reduction because it will help reduce your compliance costs, operations costs, and risk associated with interacting with payment card data. Period.
In fact, the two main reasons our customers contact us today are Risk Avoidance and Compliance Reduction. Interestingly, the size of the organization generally dictates which reason is most applicable. For example, SMB companies are more likely to focus on compliance reduction because of the costs associated with PCI, including all of the ancillary requirements like Penetration Testing, Application Testing, Security Product Requirements, to name a few. Larger organizations with considerable budget really don’t mind the cost of compliance, or the ancillary control requirements, but they care mostly about the risk of handling the volume of sensitive data in their environment and the possible repercussions of breaches.
The real question: How do I reduce scope?
There are a number of scope reducing strategies available. From network segmentation, encryption, tokenization, and outsourcing, you have many options in reducing scope and exposure to PCI Compliance. Considering TokenEx is focused on tokenization, encryption, and cloud data vaulting, we will absolutely encourage you to consider these options first. The reasons why are discussed below, but all four of these primary strategies can be leveraged for scope reduction.
Tokenization is the process of converting sensitive data into non-sensitive data, (called tokens). There are a number of ways to generate tokens, including reversible and irreversible technologies, but the primary characteristic to note is that tokens are NOT considered cardholder data. Therefore, once data is tokenized it can flow through your environment without bringing any of those devices that store, process, or transmit the token into scope for PCI compliance requirements. Ideally, you tokenize data outside of your environment before it enters, so PCI scope is never introduced, though in some cases you may have business requirements that force you to tokenize later in the flow. To push those compliance boundaries out to the farthest edge of your environment as possible, you can use technologies that can tokenize data at the earliest point in the payment card acceptance process, reducing scope the most. Remember, tokens are not cardholder data – even though they can be formatted to look like cardholder data – so they keep your environment out of scope.
With tokenization, there is no key management like you see with encryption, there are no capital expenditures for network segmentation, and outsourced providers now become your allies in PCI scope reduction.
Figure 1: Tokenization Process Flow
See also, What is Tokenization?
Encryption is the process of using cryptographic algorithms to convert data into unreadable cyphertext that can only be accessed by authorized parties who have the private key to “decrypt” the data. A simpler explanation is that using mathematics, data is scrambled into a blob of data, (cyphertext), so no one can read it unless they have the secret math to turn it back into data (plain text), again. The standout characteristic of encryption is that is uses public and private keys that are used to encrypt and decrypt data. The challenge with encryption is that it does not help with PCI scope reduction unless a secure third-party manages the keys to encrypt and decrypt the data. If you “hold” the keys to decrypt the sensitive PCI data, then that data is in scope because the key is potentially available to hackers. An on-premise technology where encryption can reduce scope is Point-to-Point-Encryption that ensures that all the payment data entered via swipes or manually via a pin pad device is immediately secured,
In all fairness, some technologies employ advanced concepts for using encryption to reduce scope, like key-encrypting keys that are managed by third-parties, so private keys are not accessible should internal systems be breached, therefore they are deemed out of scope for PCI compliance. Suffice it to say, most organizations are moving away from on-premise encryption-only strategies because key management is a technical challenge that adds complexity to de-sensitizing data that tokenization does not.
Figure 2: Encryption Process Flow
Network segmentation (or even micro-segmentation) is the process of separating your computing assets, either logically or physically, so cardholder data does not impact all of your network attached resources—only a limited subset. Think of it like this, in a more comical type of example, when someone serves you a plate of food – do you like the different items on the plate to touch one another? If not, you’re segmenting each item on your plate physically. In all seriousness, this is exactly how you should think about network segmentation. You have a portion of your environment that interacts with payment card data and it is this portion of your environment that should be segmented by itself, so no cardholder data can touch any other areas of your environment. More technically, a good example of this is segmenting your Cardholder Data Environment (CDE), where all cardholder data is stored in a database or similar, on a network isolated from your other business applications and systems—also referred to as a “PCI Island”. This ensures that only a limited number of computing assets and environments are in scope. Unfortunately, network segmentation is extremely expensive, as networks generally need to be re-architected and new network assets purchased to achieve network segmentation–one more reason you should remove the sensitive data entirely.
Figure 3: Example of PCI Network Segmentation (also called PCI Islands)
While outsourcing won’t completely eliminate PCI scope, using a qualified vendor that is PCI compliant can reduce your PCI exposure to an SAQ-A, (the easiest of all SAQs), or simply the people and process components of the PCI DSS (think Requirement 12). Imagine a world where you’re only taking payment card information through an eCommerce application hosted by a third-party iFrame. To add to that, you also could have a hosted contact center solution, so payment card data flows through both the eCommerce and contact center environments without touching your back-office environment. Your compliance obligations will include filling out an SAQ or extremely shortened Report on Compliance (ROC) and providing the third-party’s ROC.
The biggest question around this strategy is cost. How much does it cost to outsource these functions to a third-party? In a perfect world, these third-party solutions will pay for themselves with the savings you will receive by reducing PCI compliance related operations, compliance testing, and capital expenditure. Most important, you must find outsourcing vendors that have validated solutions and can prove that their security posture is more stringent than your organization’s security posture – and, they must be able to provide evidence to this effect.
Can I use all of these solutions?
Absolutely! Most of TokenEx customers are using a combination of these solutions. For example, they use tokenization for passing data through the environment, encryption for data in transit, network segmentation to ensure a component of their environment does not touch the back-office systems, outsourcing the acceptance of payment card data, and a hand-off of payment card data to payment processors. We’ve implemented these scenarios qui often, and the strategy is sound. Depending on the expense and the ability to integrate across all of these different technologies, do your research on companies who are interoperable with other solution providers. Often, leveraging multiple technologies may be the only option to avoid compliance and risk.
The biggest pitfall we see with PCI Scope reduction is properly identifying where all of the payment card data interacts with your environment. While we all like to think we know exactly where all of that sensitive data is touching, it is extremely important to leverage consulting organizations that will perform data discovery/data mapping services to find all the data sources and properly educate you on where payment card data lives and how it is used in each business unit. The number of breaches that have occurred due to a hacked server with payment card data on it that the company didn’t even know about, is inordinate. So, taking the appropriate time and measures to effectively find data, track where it is flowing, followed by implementing a strategy to reduce scope, is the best course of action.
Last but not least, don’t try to boil the ocean when it comes to reducing scope. Starting with both a short and long-term strategy for scope reduction is the best advice we can give. For example, get rid of stored payment card data, therefore eliminating PCI-DSS Requirement 3 all together. From there, push your PCI boundary of exposure outwards, leveraging the different technologies previously discussed. The most successful scope reduction initiatives TokenEx has been a part of include multiple phases of integration, each one incrementally reducing the burden on technology and people.
TokenEx is the industry leader in PCI scope reduction with professional services, technology, and people to assist organizations to achieve PCI compliance through strategy, scope, and risk reduction. For more information on how TokenEx can assist your organization, please contact: firstname.lastname@example.org.