Scoping is determining what systems are covered or need to be assessed or included as part of your PCI compliance.
Scoping is determining what systems are covered, need to be assessed, or are included as part of your PCI compliance. It includes identifying systems that store, process, or transmit data that could impact security and the systems connected to them. Scoping also considers how data enters and exits the organization.
Defining scope helps you select the appropriate Self-Assessment Questionnaire (SAQ) for your PCI assessment. Scoping does not reduce the PCI requirements you must comply with, but rather identifies the specific areas to be addressed in the compliance assessment.
See also: What are the 12 requirements of PCI DSS Compliance?
When conducting a scoping exercise for the first time, it is important to start with internal discussions involving all key stakeholders. such as IT, business, finance, and shipping/receiving.
These discussions should focus on understanding how the company receives credit card information, how it is processed and stored, and the interactions different departments have with credit card data. Understanding the roles of the people in your organization is the first step and then you can hone in on processes and technology.
Scoping can become complicated when clients have multiple merchant accounts. However, the process remains the same, it’s just broken down into multiple payment flows. In cases where there are numerous merchant accounts, each merchant account should be individually scoped. Again, you will want to account for what payment processes they have, who is involved in collecting or processing credit card data, what systems are involved in processing data, and how they collect and process credit card data. Checklists, worksheets, and questionnaires can assist organizations in this process.
Additionally, decentralizing the responsibility for scoping and assigning someone in charge of each merchant account can help streamline the annual scoping exercise. If you don’t feel like you have the skillset in your organization to do this on your own, we recommend that you use a third party, such as SecurityMetrics, to help you with scoping your environment.
Scoping is an annual process, so keeping up with changes in your environment is helpful. Regular checkpoints throughout the year should be established to evaluate any changes that may impact PCI compliance. This documentation must be retained for review by the assessor.
During the scoping exercise, these types of documentation are helpful to present to your assessor.
Segmenting your network can be a huge help in reducing your scope and simplifying your assessment. Network segmentation is the process of sectioning off one network into smaller segments, or “subnetworks,” in such a way that limits or prevents communication between them.
Having properly configured firewalls is a common way to segment your network, but you can use P2PE as well.
See also: How Does Network Segmentation Affect PCI Scope?
When done properly, network segmentation provides controls that limit or stop communication from one subnetwork into another. When done improperly—or not thoroughly enough—hackers may be able to “pivot” from a less-secure area (such as an office zone) into your cardholder data environment (CDE).
During the pandemic, the shift to work from home introduced new risks and made it necessary to reevaluate the scope of your environment. This is why having checkpoints throughout the year to reevaluate your scope is important. It is crucial for companies to re-scope their PCI requirements promptly when significant changes occur in how they accept and process payments. This includes considering the implications of employees working from home, such as whether it brings home networks or systems into scope and whether cardholder data is being accessed or stored inappropriately.
In the work-from-home (WFH) scenario, companies must determine if employees working from home have taken cardholder data outside the controlled environment, and, if so, ensure appropriate controls are in place. This may involve providing dedicated work devices and network connections, utilizing VPNs, and enforcing strict access controls.
The Payment Card Industry Security Standards Council (PCI SSC) has released guidance on addressing the security of cardholder data in work from home scenarios, providing clarity and direction for organizations navigating these challenges.
If companies have WFH or hybrid options for their employees, they will need to ensure their scope includes ongoing security measures for remote systems. Scanning and validating these systems before reintegrating them into the company network is crucial in case viruses or other security threats have been introduced into the environment.
Additionally, organizations should establish processes for managing devices leaving and re-entering the network to address regular changes in scope and ensure comprehensive compliance efforts.
Most often oversights are brought to light during assessments or discussions where someone remembers a process or file or something that wasn’t mentioned previously. This is why annual scoping exercises, conversations with stakeholders and detailed documentation are so important. But sometimes even that isn’t enough.
One time, we assessed a company with an internal call center where the IT and business process teams had a defined process for handling credit card information. However, during interviews with call agents, it was discovered that some agents were not following the prescribed process. One agent admitted to typing credit card numbers into a spreadsheet instead of shredding the paper with the information.
These types of internal conversations and validation processes are crucial to ensure that established procedures are being followed and that any changes or deviations are identified. Making sure employees are trained and following protocol is crucial to strong security.
The primary reason for reducing scope is to reduce cost and risk.
Implementing proper network segmentation significantly restricts access between different environments, and enhances the security of all systems by adding an additional layer of protection. It also makes your assessment cheaper since assessors won’t have as much to look into.
The focus of PCI compliance is on securing systems that handle PCI data, but it doesn't mean neglecting security for other systems. While PCI scope is narrowed for assessment purposes, security professionals still advocate for implementing security controls across all systems. A risk assessment should be conducted to evaluate the risks associated with out-of-scope networks and determine the appropriate level of security measures needed. Protecting valuable information beyond PCI requirements is essential for overall security.
Understanding your environment (i.e., people, processes, and technology) is essential in determining the appropriate level of security controls for different types of information. Sensitive data should have limited access. In industries like healthcare, where PCI scope and protection of personal information are crucial, conducting a comprehensive risk assessment helps prioritize security efforts. This approach allows a focused emphasis on PCI compliance within the broader context of the organization's overall security landscape.
One effective method is to avoid storing or accessing cardholder data altogether, such as through a point-to-point encryption (P2PE) solution. With P2PE, card data is encrypted at the point of swipe and remains encrypted until it reaches the processing environment.
However, it's important to note that for assessors to recognize the scope reduction, the P2PE solution should be validated and listed by the PCI Council. Outsourcing certain aspects of the card flow, like using a PCI-validated shopping cart provider, can also help limit scope, although due diligence and tracking their PCI compliance remain part of your responsibility.
It's important to evaluate the involvement of other companies in your scoping exercise, such as AWS, hosting servers, Microsoft cloud, third-party shopping carts, and data centers. Especially with the increase in ecommerce hacking, third-party inclusions on the checkout page, like third-party JavaScript, should be assessed to ensure they do not pose a security risk.
The PCI DSS standard itself provides information on scoping and segmentation starting from page 10. Additionally, there is an information supplement released by the PCI council that offers a comprehensive discussion on in-scope and out-of-scope considerations. The PCI security standards website has a document library where the PCI DSS and other resources can be accessed as well.
See also: What are the 12 requirements of PCI DSS Compliance?
It is important to consult with Qualified Security Assessors (QSAs) who can provide guidance and answer specific questions related to scoping. QSAs are there to help and collaborate, not to catch organizations off-guard.
Internal resources within the organization, such as IT and security personnel, can be utilized for scoping decisions.
There are also technical tools available, such as PANscan that can assist in validating scope and ensuring proper segmentation. However, caution should be exercised when using these tools to avoid causing unintended disruptions to systems.
In terms of network segmentation and reducing scope, there are a few important considerations. Firstly, don't overlook VoIP systems, especially if they are involved in receiving card data via phone. These systems may fall within the scope of PCI DSS compliance.
Another consideration is avoiding the storage of cardholder data. One option for this is outsourcing certain functions to third-party tokenization providers. They can provide tokens instead of actual data, allowing organizations to trade tokens for data when needed. By relying on tokenization providers, organizations can reduce their reliance on internal security. While this will include a cost, it might be worth it depending on the organization’s circumstances.
To sum up, reducing your scope cuts down on the cost of your assessment, better secures your sensitive data, and makes it easier to become compliant. One of the easiest ways to reduce your scope is to segment your network and consider using third parties for data storage or P2PE.
If you lack the skills in your organization to determine your scope or if you have questions about what is in your scope, you can reach out to your assessor for help. They are there to help you!
We hope you’ve found this information useful. For more information like this, consider subscribing to our podcast channel or blog.
.svg)
