News Feature | May 12, 2015

How To Sell Your Merchant IT Clients On "Out-Of Scope" Solutions

By Ally Kutz, contributing writer

Thinkstock_compliance_conceptual meter.jpg

Your merchant clients who look to you as their trusted IT advisor expect you to provide the solution that best fits their needs. That might mean designing a solution that — as far as Payment Card Industry Data Security Standard (PCI DSS) is concerned — is “out of scope.”

The PCI Security Standards Council defines “scope” as “identifying all system components, people, and processes to be included in a PCI DSS assessment.”

Defining scope is not merely an exercise — knowing the scope of the cardholder data environment (CDE) is necessary before penetration testing, which ensures the CDE is secure, can occur. PCI’s guidance on penetration testing is included in an information supplement.

The Verizon 2015 PCI Compliance Report points out, “If you can take systems out of scope you can avoid the cost and effort of involving them in PCI DSS compliance activities, both in terms of regular activities (such as patching or vulnerability scans) and the annual assessment.”

The report lists scope reduction methods by the percent of companies using them:

  • Truncating/masking (53 percent): When personal account data (PAN) is appropriately truncated or masked, components that use or store this data can often be removed from scope.
  • Consolidation (17 percent): Consolidating systems that store, process, or transmit cardholder data (CHD) eliminates redundancies, which removes those redundant systems, and applications from scope.
  • Hashing of PANs (14 percent): Hashing is storing or using PANs that have been encrypted in a way that makes them “computationally infeasible” to be decrypted to the PAN.  
  • Tokenization (12 percent): CHD can be replaced with a token, and innovations such vaultless and in-memory tokenization are available. The report points out several organizations in the study are using a combination of tokenization and point-to-point encryption (P2PE).
  • Point-to-point encryption (4 percent): The report states this method was recommended for all merchants in 2014; but only 4 percent of the organizations in the study had implemented it. The report also points out there are a limited number of P2PE solutions that are validated by PCI.

For scope reduction within infrastructure, 98 percent of companies in the study’s data set use any of the following: segmentation, 92 percent; segregation, 70 percent, virtual LANs, 46 percent; defining PCI DSS security zones, 46 percent; full isolation, 23 percent; and other methods, 3 percent. The report comments that the growing use of security zones shows organizations are recognizing the need to redesign their networks. Next-generation firewalls or network segmentation gateways are the key to designing networks have zones separated by security needs.

Of the companies in Verizon’s study, 62 percent used third-party organizations for scope-reduction methods; however, the report stresses responsibility for compliance remains with the merchant, which is responsible to monitor third-party organizations that could impact CHD.

The report also makes a statement that can help you explain the ROI of a solution that reduces PCI DSS scope: “Cutting the DSS scope can result in lower total cost of ownership, making maintenance of controls easier, and reducing risk via limiting the attack surface.