Reduce PCI Scope
Ian Terry
Listen to: "5 Ways to Reduce Your PCI Scope to Streamline Efforts and Costs"

As important as it is to protect your customers’ confidential data, you also have a responsibility to look after your company’s interests. While compliance with PCI Data Security Standards (PCI DSS), as set forth by the PCI Security Standards Council (PCI SSC) is mandatory, there are different ways that you can achieve daily compliance and help ease the workload for your PCI DSS team and reduce costs for your company.

Try out the Following 5 Ways to Reduce Your PCI Scope to Streamline Efforts and Minimize Costs for Your Organization

There are many ways that you can reduce your PCI scope, but you may want to try out the following 5 ideas to get started:

1. Learn the PCI DSS Scope and the System Components Involved

The best place to start is the beginning when it comes to PCI DSS scope. It may help to perform an in-depth review of just what PCI scope is, along with its various components. Whether you are new to this aspect of the IT industry, have just gathered a new PCI team, or you simply want to refresh your understanding of PCI scope, this review can help reduce scope.

PCI scope features “the PCI DSS security requirements that apply to all system components included in or connected to the cardholder data environment,” according to Security Matters. The article goes on to define the cardholder data environment: “A cardholder data environment is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication.”

Below are some of the key system components to consider as you prepare to reduce PCI scope.

  • Network devices that include firewalls, switches, wireless access points, routers and network appliances
  • Servers such as authentication, web or URL redirection, mail, proxy and application
  • Computing devices
  • Applications that are purchased or custom made for your system
  • Virtualization components

Since auditing firms—where you will find your trusted Qualified Security Assessor (QSA)—base their fees on the amount of time it will take them to complete the PCI assessment, it is important that you are up to speed on the basics so you can easily discuss the details of your computing system and the various system components without requiring additional explanation. MegaPlanIt notes that your review of the basics offers you a quick and certain way to reduce PCI scope and boost your confidence when working with your auditing team.

2. Review Recent Changes to the PCI DSS

Initially published in April 2016—and set for an official enforcement deadline of June 30, 2018—PCI DSS v3.2 is the latest update to the PCI SSC standards. Until the deadline, affected companies are to treat the update as best practices.

A few of the key changes in this update include the following:

  • Multi-factor Authentication. This requirement extends to any personnel with administrative access into the cardholder data environment.
  • More Secure SSL and TLS. The update calls from a transition from early SSL and TLS 1.0 to a more secure version of TLS, which is currently v.1.1 and may go higher, as available.

The more you learn about this fairly extensive update, the more easily you can reduce your scope long before it is officially enforced.

3. Develop Your Own PCI DSS Policies and Procedures

Saving time and resources regarding your QSA team goes a long way toward reducing PCI scope. There are plenty of things you can do to prepare for their arrival, including developing a network diagram to gain invaluable insights into your system and how it interacts with cardholder data. Additionally, document everything, which might include event logs, service providers, system changes and updates, and vulnerability scans. Gather all documentation before the arrival of your auditing team so you don’t need to spend any time retrieving it.

4. Use Network Segmentation

Security Metrics considers network segmentation to be one of the best ways to reduce PCI scope. Network segmentation involves separating systems that store, process or transmit cardholder data from systems that do not.

You may choose to install and configure a multi-interface firewall at the perimeter of your network. From that point, you can develop one firewall interface made specifically to isolate your cardholder data off to itself within the network. Another option is to have an air gap, which is simply another network, specifically for your cardholder data and nothing else.

This measure lets you and your team breathe a sigh of relief, knowing that cardholder data is off to itself, which makes the chances of any unauthorized parties seeing it far less likely.

5. Try Tokenization

Tokenization allows you to store card numbers in a highly secure off-site data vault. This form of re-coding replaces cardholder numbers with tokens in all other applications and databases. The beauty and growing popularity of tokenization is in the fact that you are not actually storing data anywhere, which is a great way to simplify your PCI scope.

Enlist the Services of QSAs Who Understand the Need to Reduce PCI Scope

At I.S. Partners, LLC., we understand how important it is to our clients to streamline processes to preserve their budget and human resources, and we would love to offer additional ideas.
Contact us by sending us a message or calling us at 215-675-1400 to find out more about how your organization can reduce PCI scope and reap the benefits of doing so.

About The Author

Get Hassle-free Pricing in 3 Easy Steps

Request a quote using the form below
Allow us to create a customized plan
We'll get you an accurate, no-obligation quote
Untitled-1 Asset 1 Request a Quote Background

Request a Quote

Please fill out the fields below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235

Request a Quote (Keep)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.


Great companies think alike!

Join hundreds of other companies that trust I.S Partners for their compliance, attestation and security needs.

Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal