What is PCI DSS?
When starting your PCI compliance journey, figuring out what should and should not be included can be a daunting first step. Put simply; your PCI scope includes the part of your environment that directly impacts the security of Cardholder Data.
The Cardholder Data Environment, or CDE, is everything involved with storing, processing, or transmitting Cardholder Data. Therefore, your scope includes not only the CDE but everything directly connected to or that could impact the security of the CDE.
The PCI Payment Security Standards Council breaks the scope into three categories: people, processes, and technology. The five W’s (Who, Why, What, Where, and How) are useful when determining what should be included in your PCI assessment. So let’s take a closer look at the three categories and use the 5 W’s to help identify what might be considered in scope for an assessment.
The biggest question for PCI compliance regarding people: Who has access to Cardholder Data? Look at all employees, contractors, and even third-party providers who might have access to Cardholder Data and the environment. Does every person with access have a need? (In the future, we’ll refer to all people with access as “users.”)
That leads to Why. Why do those users have access? What type or amount of access is granted? Is your company using a “least privilege” policy? Are there varying levels of access granted based on the job need? Take a close look at who sees what and why. Often, some access or privileges can be revoked to protect Cardholder Data.
How and Where does the user access the Data? Does the user need special access to view the data, such as logging into a separate application? Or do they use multi-factor authentication or a token? Does the user have a unique ID and password that only they use?
When does the user access the Data? Is it for a specific job function or simply available to see at all times?
Review who can see Cardholder Data and determine whether they need to. Many of the questions from above lead to deeper dives into the processes and technology within the environment. You’ll often find conducting an internal review or audit reveals where gaps exist within the Cardholder Data Environment. You’ll also uncover any potential risk to the business.
Processes cover everything in your policies and procedures. These include HR (i.e., new hire, termination, training), Security (i.e., access, equipment, change management), and Standard Operating Procedures (SOPs).
What do your policies and SOPs say about who can access the data, what security requirements the company follows, and what controls are in place to protect the environment?
Be prepared to defend Why the business chose specific controls and requirements. A compensating control will be needed if the control doesn’t fully meet the PCI requirement.
Who keeps the policies updated? PCI compliance requires that policies be updated at least annually. Identify the Control Owners and those who need to be aware of the policy changes.
When do users acknowledge the policies and procedures? Also, how often are users given training for PCI, privacy, security, and best practices?
Where are the policies and procedures housed? Are they easily accessible to all users?
How does the company prove controls are followed? Are regular internal audits or scans conducted at required intervals?
Policies and procedures must be put in place in order to maintain consistency and ensure the security of the Cardholder Data environment.
The most significant portion of the PCI assessment is technology. When a QSA or assessor is first introduced to a new environment, they must first understand the environment as a whole.
To identify what is and isn’t in scope, they review diagrams and the structure of the environment. How is it built? How does Cardholder Data move through the environment? Identify where it enters, how it’s transmitted, where it’s stored, and how it’s processed.
What technology is used to secure the Data? The technology here can be physical, such as physical tokens, cameras, or badges. It also includes virtual security, such as firewalls, encryption, or network segmentation. Security technology includes logging, monitoring, and anti-virus software.
Where is data stored, and Why? How much Cardholder Data is kept? When is Cardholder Data purged? PCI has strict requirements surrounding what can be stored and for how long. It is essential these questions can be answered and meet the PCI requirements. Also consider if the data stored is encrypted or is plaintext.
Finally, Who has access to the technology? Who maintains the network, database, or other technology involved? Who owns the diagrams and is responsible for their maintenance and accuracy?
Once you answer the 5 W’s for people, processes, and technology, you can begin looking at technical and non-technical ways to reduce PCI scope within your organization. Scope reduction is essential to compliance and security as it minimizes the exposure risk to the Cardholder data environment and the effort required to maintain compliance by limiting the number of systems and applications that need to be assessed. Scope reduction can be accomplished in several ways, including:
Implementing a Validated Point-to-Point Encryption Solution (P2PE)
Businesses can reduce PCI compliance scope by leveraging a PCI-validated P2PE solution. P2PE reduces PCI scope by encrypting Cardholder data from the point of interaction/point of sale to the payment processor. The PCI council must validate a P2PE solution. Additional information can be found at https://listings.pcisecuritystandards.org/documents/P2PE_Solutions_for_Merchants_v2.pdf.
One of the best ways to reduce PCI scope is to separate systems that process, transmit, or store Cardholder data from other systems on your network. The process of separating Cardholder data systems from non-Cardholder systems is called “network segmentation.” For wired networks, segmentation can be accomplished using a physically separate network or “virtual” networks called VLANs. Wireless networks work similarly by allowing guests to connect to a different wireless network than your employees. Again, your MSP can help evaluate your current network environment and determine which method best suits the needs of your business.
Determining what is and is not in the scope of a PCI assessment can be challenging. There are hundreds of requirements, and not knowing how PCI fits your business can seem overwhelming. However, the five W’s and How can help take an initial step into scoping your environment.
CKSS can step in and assist with these first questions when starting your PCI compliance journey. CKSS Consultants can point out gaps and suggest remediation or changes before bringing in an assessor. If you’re considering enhancing your PCI security posture and implementing some of the strategies discussed in this piece, consider contacting us today.