PCI DSS scope

Learn how to reduce PCI scope in your business and protect your cardholder data.

PCI DSS scope
Many businesses find it difficult to get PCI DSS compliant. There are so many requirements, and depending on the size of the business, filling out Self-assessment Questionnaires (SAQs) can take a lot of time and effort.

SEE ALSO: Top Ten PCI Requirement Failures: Where is Your Business Struggling?

So what can you do to help your business get compliant? A good place to start is finding and reducing your business’s PCI scope.

SEE ALSO: The Importance of the PCI DSS: Why You Should Get Compliant

What is PCI scope?

Your PCI scope involves anything in your business that processes, stores, or transmits cardholder data, and anything that can initiate a connection to any of the systems that handle cardholder data. 

Put simply, any device, process, or employee that involves credit card data is in your PCI scope, which means you are responsible to make sure that card data is properly secure.

Some common devices included in PCI scope can be
  • POS systems
  • Servers
  • Computers
  • QA systems
  • Databases
  • Software
  • Phones
You’d be surprised how much credit card data your business is unknowingly storing and in some of the most random places.

SEE ALSO: How Much Credit Card Data do You Store? (It’s More Than You Think.)

PCI scoping Why reduce scope?

Getting compliant with the PCI DSS can be an involved and difficult process; this is especially true for businesses that process and store a lot of card data. By reducing how much your systems come into contact with card data, your PCI validation type may change, which could reduce the overall amount of SAQ questions you’re required to answer and your total amount of work, saving time and money.

Besides saving money, reducing your scope helps ensure you’re keeping track of the card data your business processes and stores. This awareness gets you on the path to boost data protection measures.

SEE ALSO: Infographic: Reduce PCI Scope, Reduce Workload

Finding the scope in your business

The first step to reducing scope is finding out all the places and ways your business could come into contact with cardholder data.
The key to determining your PCI scope is understanding how your business works.
Some questions to ask yourself are:
  • How do you record cardholder data?
  • Where do you store the data?
  • How do you manage your systems?
  • How do you log into them?
  • How do you backup your systems?
  • How do you connect to get reports?
  • How do you reset passwords?
SEE ALSO: How to Do Passwords Right: Password Management Best Practices

There are often processes you don’t think of that could be included in your scope. For example, employees could be taking card numbers over the phone or receive emails with card information. There’s also power-outage procedures where card data may be manually taken down. Follow the paper trails in your business to make sure all card data is secured. Even if card data is 10 years old, it’s still in PCI scope.

Think about all elements on your system. Even if you believe something is out of scope, it may hold temporary files, log files, or back-ups with unencrypted data. Check your devices to make sure no hidden card data is lurking.

After you find your devices in scope, find everything that can communicate with them. If you have a server that handles cardholder data, think about what else connects with that server. Who has permission to access your card data and how do you transmit it?

Also think about how your employees interact with card data. Are they storing card data at their desks? Are they taking down credit card data over the phone? These types of issues need to be taken into account as well.

Tips to reducing your scope

Once you’ve determined the scope in your business, it’s time to manage and reduce your scope.  Here are some tips to reduce PCI scope.

Segment networks
It takes more effort and time to secure all of your networks than to only secure the ones containing cardholder data. Keep the networks that handle card data separate from the ones that don’t. You can do this by installing firewalls between networks.

SEE ALSO: How Does Network Segmentation Affect PCI Scope?

Use limited access
Your janitor shouldn’t have the same access privileges as your accountant. Not all of your employees need access to cardholder data. By limiting access and having a hierarchy of employees who can handle card data, you reduce the amount of people interacting with the data. This boosts your security and makes PCI compliance a bit easier.

SEE ALSO: PCI Requirement 7: 5 Reasons You Should Limit Employee Access to Your Data

Outsource to third party
This may not work for every business, but if possible, it may be easier to outsource handling payments and card data to a third party. Examples include using tokens, or using business models like PayPal to ensure your company has minimal contact with cardholder data.

Keep in mind that if you do outsource your payment, you will still need to make sure the party you outsourced to is PCI compliant. You could still be held liable in the event of a data breach, should it be shown you didn’t make sure that party was compliant.

Protect your data

When it comes to PCI scope, protecting your card data should take top priority. You can’t do that unless you understand the way your business handles card data. It’s up to you to protect your cardholder data.

Need help with PCI compliance? Talk to our experts!

SecurityMetrics guide to PCI DSS compliance