5 Tips to Pay Less for PCI Compliance

5 TIPS TO PAY LESS
FOR PCI COMPLIANCE
SIMPLE STEPS TO REDUCE
YOUR PCI SCOPE
Ebook
© 2015 SecurityMetrics

5 TIPS TO PAY LESS FOR PCI COMPLIANCE | 1
5 TIPS TO PAY LESS
FOR PCI COMPLIANCE
SIMPLE STEPS TO REDUCE YOUR PCI SCOPE
ABOUT THIS EBOOK
WHO SHOULD READ THIS EBOOK?
• IT directors and managers in charge of PCI compliance
and data security
• Acquirers, ISOs, and portfolio managers
• Anyone interested in network, data, or payment security
READ THIS EBOOK TO LEARN:
• How to define your cardholder data inflows and
outflows
• Why storing PAN might increase your PCI scope
• 5 tips to save your business money and reduce PCI
scope
MORE OF A VIDEO PERSON?
Check out the full-length webinar for additional
insights and info.

INTRODUCTION
With the recent changes in PCI DSS 3.0 and PCI 3.1, many or-
ganizations have found it’s more expensive and difficult to keep
up with PCI compliance latest data security requirements. The
most dramatic changes are the introduction of new Self-Assess-
ment Questionnaire (SAQ) categories and extended PCI scope.

This ebook discusses tips to reduce your current PCI scope, which
may help you save money on managed services, decrease internal
resources, and reduce your long-term workload.
A CARDHOLDER DATA
ENVIRONMENT IS
COMPRISED OF PEOPLE,
PROCESSES, AND
TECHNOLOGIES THAT
STORE, PROCESS, OR
TRANSMIT CARDHOLDER
DATA OR SENSITIVE
AUTHENTICATION.
WHAT IS PCI SCOPE?
Scope deals with environment systems that
must be tested and protected to become PCI
compliant, while SAQ is simply a validation
tool for merchants and service providers to
self-evaluate compliance with PCI DSS.
Here’s a quick list of system components that
are probably in scope in your environment:
• Networking devices
• Firewalls
• Servers
• Switches routers
• Computing devices
• Applications
The bottom line is: if the people/process/
technology/component stores, processes, or
transmits card data (or is connected to systems
that do), it’s considered in scope.

PCI 3.0 SCOPE CHANGES
PCI DSS 3.0 clarified that there are secondary systems not
directly related to processing card information that are now
in scope for PCI, such as log servers, Network Time Protocol
(NTP), and Domain Name System (DNS).
PCI 3.0 has offered greater clarity on which system components
are in scope:
• Systems that provide security services (e.g.,
authentication servers), facilitate segmentation (e.g.,
internal firewalls), or may impact the security of
(e.g., name resolution or web redirection servers) the
cardholder data environment (CDE).
• Virtualization components such as virtual machines,
virtual switches/routers, virtual appliances, virtual
applications/desktops, and hypervisors.
• Network components including but not limited to
firewalls, switches, routers, wireless access points,
network appliances, and other security appliances.
• Server types including but not limited to web, application,
database, authentication, mail, proxy, NTP, and DNS.
• Applications including all purchased and custom
applications, and internal and external (e.g., Internet)
applications.
• Any other component or device located within or connected
to the CDE.

Let me give you an example. PCI Requirement 10 requires you to
log all the events in your system and store them in a centralized
log server. Now these log servers and any connected systems
are in scope, unless you segment your network accordingly.
These new changes likely mean you will have to spend more
time and resources becoming compliant that you may not have
expected or budgeted for.
Keep these PCI 3.0 changes in mind as you reduce your scope
and comply with PCI DSS requirements.
IN MOST CASES, YOUR
PCI SCOPE WILL HAVE
CHANGED FROM PCI
DSS 2.0 TO 3.0
WHAT ABOUT 3.0 SAQS?
Often people associate PCI scope with Self-Assessment
Questionnaires (SAQs), but these are two different parts
of PCI compliance.

INCREASE SECURITY, DECREASE WORKLOAD
Reducing scope means that you either outsource or change
aspects of your PCI compliance. For example, you can out-
source your management of firewalls, or you can change
where you store primary account numbers (PAN) to your
merchant’s system.
What does reducing PCI scope do for your organization?
Reducing scope, particularly by removing or outsourcing PAN,
can change which SAQ you qualify for (decreasing the number
of SAQ questions you are required to follow). This means that
you will have to spend less time and internal resources for
PCI compliance.
REDUCING SCOPE
MEANS THAT
YOU EITHER
OUTSOURCE OR
CHANGE ASPECTS
OF YOUR PCI
COMPLIANCE.

DECREASING
YOUR PCI SCOPE
To reduce scope, you must understand the
actual method you use to process card data.
Only then can you look at procedures that can
be eliminated or outsourced.
Think through the different processes of how
cardholder information is received and sent via
your network. How does cardholder data enter in
your environment? What devices are you using
to collect cardholder data? Where do you send
the data? How do you process this information?
Your answers to these and similar questions
will help determine the exact breadth of your
PCI scope.
Remember, even infrequent flows of cardholder
data are still important and will affect your PCI
scope, even if they only happen once a year.
HERE ARE SOME
SPECIFIC EXAMPLES
TO GET YOU THINKING
OF HOW CARDHOLDER
DATA FLOWS IN YOUR
NETWORK.

HOW DOES CARD DATA COME
INTO YOUR NETWORK?
• Point of sale (POS) system
• Mobile POS system
• Ecommerce website
• Mail order telephone systems
• Virtual terminals
• Outsourced procedures processing under your merchant ID
WHAT HAPPENS TO THE CARDHOLDER
DATA INSIDE YOUR NETWORK?
• Is your website hosted at your location or through
a third party?
• Does your system batch at the end of the day?
• How does your terminal connect? (e.g. Internet, cellular,
analog, etc.)
• Where is card data stored in your environment?
WHERE DO YOU SEND CARDHOLDER
DATA AFTER PAYMENT?
• Processor
• Backhouse server
• Backup server
• Third party that stores or handles PAN
• Outsourced management of your systems
or infrastructure

HOW TO CREATE A CARD FLOW DIAGRAM
Keeping track of all cardholder data flows, what systems they
interact with, and where card data is stored at your organization
can be difficult. That’s where a card flow diagram comes in.
The PCI DSS version 3.0 Requirement 1.1.3 requires you to have
a current cardholder flow diagram for all card flows in your
organization. A card flow diagram is simply a graphical represen-
tation of how card data moves at your organization.
To accurately craft your card flow diagram, ask yourself ques-
tions such as:
• What device am I using for the transaction? A virtual
terminal? POS system?
• What happens to the card data after a transaction?
• When is data encrypted? Is it even encrypted at all?
• Do I store card data before it is sent to the processor for
approval?
• When I send data for approval, does it go in and back
through a firewall? Is the firewall PCI compliant?
• How is data authorized and returned by the bank?
• Is card data backed-up on my system? Is it encrypted? Is
my backup server at a different data center?
ONCE YOU KNOW
YOUR FLOWS
AND KNOW WHAT
SYSTEMS THEY
INTERACT WITH
YOU CAN EASILY
CREATE A CARD
FLOW DIAGRAM OF
HOW CARD DATA
MOVES WITHIN
YOUR NETWORK.

Think of your card flow diagrams as card pro-
cessing spring-cleaning. Imagine you are doing a
little spring-cleaning, and you find a storage box
labeled “Christmas.” After opening it, you find
Christmas lights but also gardening sheers inside.
Card flow diagrams are like that box. Often
businesses believe their labeled boxes (or card
flows) are set up a certain way, and contain
certain things. In reality, they are much different
than originally thought.
Mistakes in the flow of card data could have
been made in a variety of ways. Perhaps a point
of sale terminal was set-up incorrectly. May-
be an employee went in after the system was
correctly set up and accidentally changed a
process, much like accidentally placing garden-
ing sheers in a Christmas storage box. There are
many possible ways of making mistakes in how
you process and store your card data.
Like relabeling storage boxes after a thorough
spring-cleaning, card flow diagrams help you
know which processes must be changed for
better organization. They also show possible
ways to reduce your scope, like condensing all
gardening supplies from five boxes into one.

ARE YOU UNKNOWINGLY STORING PAN?
When defining scope it is important to understand the impact of
storing card numbers, especially if they are unencrypted.
If you electronically store the PAN on a credit or debit card, you
automatically qualify for PCI SAQ D, which has 335 require-
ments.
You are also required to make sure all stored PAN is encrypted.
The problem is, many merchants don’t know they store unen-
crypted PANs. In the latest study by SecurityMetrics, 61% of
merchants were found to store unencrypted PANs.
Do you have a refund process? If so, you may store PAN. For ex-
ample, finance departments often receive bank statements with
full cardholder numbers. Sometimes the finance team will get a
notification of a disputed transaction via email and because they
have data retention requirements, they’ll save that information
without encryption..
Therefore, as you are defining your environment, it’s important
to ask all organizations and departments whether they receive
cardholder information or not. Then you need to define exactly
how this changes your card flows.
PAN (PRIMARY
ACCOUNT NUMBER):
The digits on the front of a payment card. Also called a
bankcard number. You are allowed to store full card details
with the exception of track data, if properly encrypted.

REMOVING PAN FROM
YOUR ENVIRONMENT
To avoid being in the dark about your own PAN
storage, make sure you ask your vendor exactly
how your POS system works. For example,
does it automatically store cardholder data?
Does it write cardholder data to a database
and keep a transaction record for 30 days to
easily process refunds?
In addition, you should regularly run a card-
holder data discovery tool (such as PANscan).
These tools help you find unencrypted PAN
data and where it resides. Knowing where PAN
data is stored helps you to confirm whether
or not your CDE is what you think it is. It also
helps you to identify which processes or flows
might need to be fixed. Once you identify new
processes, you can begin to determine what
you can do to either fix the process or add it
into your normal environment processes.
KNOWING WHERE PAN DATA
IS STORED HELPS YOU TO
CONFIRM WHETHER OR
NOT YOUR CDE IS WHAT
YOU THINK IT IS.

Customers use a
gift card.
If the gift card you accept is not
one of the five major brands’ (VISA,
Mastercard, Amex, JCB, and
Discover), then the gift card vendor
sets the requirements to secure the
credit card information. This means
that gift cards are not required to be
protected by PCI DSS regulations.
Customers fax you their
card information.
In most cases, your customer is
sending you an eFax and sending
it by email, which needs to be
encrypted (even if it is in PDF
format). Yet if your customer is
sending you a fax, the phone system
is not in scope; you only need to
make sure that the fax machine is in
a secure area and that you monitor
incoming faxes.
Customers email
you PAN.
Emails are one of the most difficult
aspects to secure and remain PCI
compliant. If you do receive PAN over
email, it needs to be encrypted. You
should not accept any unencrypted
PAN over email because once it
enters the public domain of the
Internet; it is almost impossible to
protect. We recommend you find an
alternative solution if it regularly
happens in your environment.
PAN STORAGE CASE STUDIES

5 TIPS TO REDUCE
YOUR PCI SCOPE
Now that you understand what scope is, and
how to define it at your unique organization,
how do you reduce your scope to decrease your
workload? Reducing scope is done by either
outsourcing or changing aspects of your PCI
compliance, specifically processes dealing with
PAN data. Reducing scope often changes the
SAQ you qualify for and decreases the number
of SAQ questions you are required to follow.
REDUCING SCOPE OFTEN
CHANGES THE SAQ
YOU QUALIFY FOR AND
DECREASES THE NUMBER
OF SAQ QUESTIONS YOU ARE
REQUIRED TO FOLLOW.
SAQs with bigger scopes require increased
security measures and additional testing pro-
cedures, which expands your staff’s workload in
order to fulfill an intensive SAQ. The more rigor-
ous the SAQ, the more time consuming it can be
for your staff to make sure the proper security
measures are in place. It also can be so compli-
cated that it requires assistance from expensive
managed systems (particularly IT services).
The following are tips to help you reduce your
PCI scope, so that you can decrease your work-
load and save you time and money.

1: DON’T STORE PAN
Those that store PAN qualify for SAQ D (335 requirements),
which is quite extensive when compared to other SAQs like SAQ
A (14 requirements).
SAQ D includes:
• File integrity monitoring (FIM)
• Intrusion detection system or intrusion prevention
system (IDS/IPS)
• Annual penetration testing (internal and external)
• Physical security for systems that store data
• Firewall
• Change control
• Internal and external scanning
• And . . . the whole PCI DSS standard
Qualifying for an SAQ D does not simplify PCI compliance.
You might think storing PAN makes life easier. For example,
perhaps you process a lot of refunds. Or perhaps you store credit
cards for frequent customers. That seems like a good decision at
first because it increases sales by making transactions faster for
your customers. The downside is you still store PAN and qualify
for an SAQ D.
If you must store PAN, consider an alternate method. For exam-
ple, can your bank store the card numbers, and then provide you
access through a portal when doing refunds? Can you outsource
the entirety of your payment page to a third party? (If so, you
potentially qualify for SAQ A, B, or C.)
Bottom line is: if you don’t have a compelling business need to
store PAN, don’t store it!
IF YOU DON’T NEED PAN,
DON’T STORE IT!

2: OUTSOURCE PCI ASPECTS
Could service providers take on some of your more daunting
PCI requirements, such as firewall management, log collection/
monitoring, or systems hosting?
If you don’t have to hire personnel to manage outsourced devic-
es, you can have your staff spend more time on other job duties.
However, it is important to understand that outsourcing all
aspects of PCI compliance does not necessarily take away all
of your responsibilities. PCI Requirements 12.8 and 12.9 require
that you specify who is in charge of which PCI aspects. For ex-
ample, you are required to provide a list of all third party service
providers in use, all PCI requirements the service providers
meet, and the PCI requirements you are required to meet.
Requirement 12.8 specifically requires a clear delineation of
roles, with both parties signing an agreement acknowledging
their responsibilities. You also need to maintain a program to
monitor service providers’ PCI DSS compliance status at least
annually.
OUTSOURCING IS A GREAT WAY
TO REDUCE YOUR SCOPE.

3: POINT-TO-POINT ENCRYPTION (P2PE)
Another option for scope reduction is point-to-point encryption
(P2PE). P2PE is defined by PCI DSS as a process “provided by
a third party solution provider, and is a combination of secure
devices, applications and processes that encrypt data from the
point of interaction (for example, at the point of swipe or dip)
until the data reaches the solution provider’s secure decryption
environment.”
A POS terminal is the most common P2PE process.
The POS terminal process is as follows: first, the data is entered
into the point of sale terminal; then before the data is stored/
transmitted, it is transformed into unreadable code, and finally,
only with a special key can the data become readable once again.
Because card data is immediately encrypted as the card is
swiped, it prevents non-encrypted information from residing on
the payment environment, even for one millisecond. Even if a
hacker installed memory scraping software on the POS register,
it would only pick up useless strings of encrypted card numbers
with no way to decode them.
In a nutshell, if you properly implement a P2PE validation solu-
tion and have no access to unencrypted data or encryption keys
or the system that controls the keys, you may qualify for a P2PE
SAQ, with only 35 questions.
THE MOST COMMON P2PE PROCESS IS A POS TERMINAL,
WHICH SHOULD IMPLEMENT A P2PE VALIDATION SOLUTION
AND HAVE NO ACCESS TO UNENCRYPTED DATA.

4: TOKENIZATION
Tokenization is a process where a service provider
takes the cardholder data and completely replaces
the PAN in an environment with a surrogate value
called a “token.” Usually service providers collect
the PAN at the transaction, so that way you never
have access to this information. Then anytime you
want to run another transaction with that custom-
er, you send that token and the transaction details
to a 3rd party provider. They put it back into PAN
and send it out for authorization.
If you properly implement tokenization so that PAN
is not retrievable from any system component, you
can store tokens in your database with no security
consequences. Tokens are not considered PAN, so
storing tokens would not be in scope.
Just make sure that if you implement tokeniza-
tion, you’re still not storing the PAN, or storing old
caches of PAN in your environment. Make sure you
run data discovery tools to find all PAN caches, so
you can replace them with tokens. Anytime PAN is
negated on an environment, scope is reduced.
AVOID THESE COMMON
TOKENIZATION MISTAKES
Tokenization might not be properly implemented for call centers
that use IVR (integrated voice response) systems, which allow
customers to put in their number over the phone. The system
will often store PAN from the transaction unless you outsource
the collection process.
Tokenization might not be properly implemented in ecommerce
environments. If you manually enter customer cardholder data
via a website, PAN might be stored in your browser memory (If
your website is configured to cache webpages and the encrypt-
ed pages in your browser).
TOKENIZATION IS AN EASY WAY TO
REDUCE YOUR SCOPE, POSSIBLY
EVEN CHANGING YOUR SAQ TYPE.

5: NETWORK SEGMENTATION
Network segmentation is a method of separat-
ing environment systems that store, process, or
transmit cardholder data from those that don’t.
Merchants often are setup with big flat net-
works, where everything inside the network can
connect to everything else. They may have one
firewall at the edge of their network, but that’s it.
Flat networks make securing your card data
extremely difficult because if an attacker gets
inside of the network, they have access to
everything. As a result, your entire network is in
scope for PCI.
That’s why network segmentation is such a great
method to reduce scope. You simply don’t allow
systems with PAN or other sensitive information
to connect with other parts of your network.
NETWORK SEGMENTATION IS ONE OF THE BEST
WAYS TO REDUCE THE NUMBER OF SYSTEMS THAT
STORE, PROCESS, OR TRANSMIT CARD DATA
(IN TURN, REDUCING YOUR SCOPE).
Here’s a great example of network segmentation
via a firewall. Say you install and configure a
multi-interface firewall at the edge of your net-
work. From there, you create one interface on the
firewall dedicated just to the systems that store/
process/transmit cardholder data. If that interface
doesn’t allow any other traffic into our out of any
other zones, that’s proper network segmentation.
A way to properly segment a network without a
firewall is through an air gap. Air gaps just mean
having truly separate network environments for
card data environments. Specifically, the actu-
al network equipment that runs the card data
environment is totally separate from your office
environment.
If you properly segment networks, you aren’t re-
quired to implement PCI requirements for out-of-
scope networks. Although PCI isn’t required, it still
contains good security practices for your business.

CONCLUSION
To reduce your PCI scope, you need to know the flows of card-
holder data in your unique environment. Until you understand
your flows, it’s impossible to understand exactly what must be
secured. Because of all the recent changes and new require-
ments, now is an ideal time to rethink your data security and
reduce your PCI compliance workload. Reducing scope will help
you to save money and free your staff to focus on other work
responsibilities, saving you both time and resources.
ABOUT SECURITYMETRICS
SecurityMetrics has helped over 800,000 organizations
comply with financial and healthcare mandates. Its solutions
combine innovative technology that streamlines validation
with the personal support you need to fully understand
compliance requirements.
For more information about how we can help protect your
customer data and reduce your PCI scope contact us at
801.705.5656 or email consulting@securitymetrics.com.

5 Tips to Pay Less for PCI Compliance

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (6)

More from SecurityMetrics

More from SecurityMetrics (19)

Recently uploaded

Recently uploaded (20)

5 Tips to Pay Less for PCI Compliance