The Payment Card Industry Data Security Standard (#PCIDSS) is a set of security standards that are designed to protect credit and debit card transactions against fraud and data breaches. Any business that accepts card payments must comply with the PCI DSS requirements. PCI DSS has been around for some time now. I was not there when it first came out, but I remember when I was undertaking assessments under PCI DSS 1.2.x. However, still to this day there are businesses who are not getting the first part of the assessment right. What am I talking about? It is proper scoping. It is so critical the assessment, not only to ensure data is appropriately protected, but also conversely to save the business time and money.
What is scoping?
PCI DSS scoping is the process of determining which business processes, information, systems, people, and processes are in scope for the assessment. Therefore, proper scoping is essential because it defines the scope of the assessment, the systems and processes that need to be secured, and the resources required to achieve compliance.
The importance of proper scoping for PCI DSS cannot be overstated. Here are some reasons why:
- Reduces the scope of the assessment: PCI DSS requirements can be extensive, and attempting to comply with them for every system and process in your organization can be overwhelming and actually not pragmatic for some businesses. Proper scoping helps to reduce the scope of the assessment by focusing only on the systems and processes that handle cardholder data. This makes the assessment process more manageable, less expensive, and less time-consuming.
- Helps to identify risks: Proper scoping helps to identify the systems and processes that pose the most significant risks to cardholder data. This enables you to focus your security efforts and resources on the most critical areas. It also helps to identify areas which are often forgotten, such as backups which may pose significant risk depending on the quantity and sensitivity of that data.
- Ensures compliance with the standard: PCI DSS compliance is not optional, and failing to comply can lead to severe consequences, including fines, legal action, and reputational damage. Proper scoping ensures that you comply with all the applicable PCI DSS requirements and helps you to achieve and maintain compliance.
- Reduces costs: Proper scoping can help to reduce the costs of achieving and maintaining PCI DSS compliance. By focusing only on the systems and processes that handle cardholder data, you can avoid wasting resources on unnecessary security measures that do not contribute to compliance.
- Enhances security: Proper scoping helps to identify the systems and processes that require the most robust security measures. This helps to ensure that cardholder data is protected against unauthorised access, theft, and other types of cyber attacks.
So, what do I need to do?
Undertake a scoping exercise. I would suggest starting with the 30,000ft high view of the business processes, focused around the data flows (in this case cardholder data). After reviewing with the business personnel, speak to your IT personnel to map these flows to your networks. You will then have a better view of the people, processes, information and technologies involved for assessment.
the most cheapest and quickest way to get compliant is…
Proper scoping is critical for achieving PCI DSS compliance. It reduces the scope of the assessment, helps to identify risks, ensures compliance with the standard, reduces costs, and enhances security. Businesses that take PCI DSS scoping seriously are more likely to achieve and maintain compliance, protect their customers’ data, and avoid the severe consequences of non-compliance. In some cases, the actual requirements may be overkill depending on the quantity of data, however, PCI DSS is even more risk-focused, so speak to your assessor to discuss a sensible and pragmatic way to maintain security and achieve compliance.
Do not just look for the IT/technical controls to ‘just meet compliance’. Instead, look for ways to engineer the data flows across business processes and IT processes – I often find the most cheapest and quickest way to get compliant is by this Business Process Re-engineering, as it raises questions why are things done and can you remove data.
Whatever way you want to get compliant, make sure you do the scoping part properly first. Scoping is one of the earliest parts in The PROTECT Protocol™.