April 3, 2010

Reducing PCI Scope for the Enterprise Merchant

Reducing PCI Scope for the Enterprise Merchant

By definition, the scope of a cardholder data environment for a PCI assessment is
“any system that “stores, processes and/or transmits cardholder data.” Securing cardholder
data for many companies is daunting. But with a few simple steps the scope of the
cardholder data environment can be reduced, which can result in less time and money
lost attempting to secure the entire enterprise network. In many instances enterprise
merchants have a difficult time securing their entire cardholder data environment
in the time allowed by their acquirer. If a merchant can reduce the size of the cardholder
data environment by segmenting away a smaller section of the overall enterprise environment,
it will provide an avenue for them to become compliant more efficiently.

of the first things a PCI assessor may ask for is a complete cardholder data flow.
Defining the flow of the cardholder data through the merchant environment is a critical
element in reducing the overall scope. After all, the cardholder data has to be identified,
before it can be isolated. Key team members, representing different groups that deal
with cardholder data, should be involved to ensure that all aspects regarding the
handling of cardholder data are identified. Walking step by step through the flow
of cardholder data in a group setting can result in a much more detailed and accurate
depiction of the cardholder data flow. Often assessors find that the merchant has
forgotten some small part of the cardholder data flow as they move through this process.
An individual who runs a report on cardholder data on a weekly basis and pulls cardholder
data to their workstation could potentially bring surrounding systems into scope.
Identifying these systems and processes are critical.

Now that the flow of cardholder data has been identified, the next step is to work
towards making sure only those computers that are absolutely necessary for “storing,
processing and/or transmitting” of cardholder data are in the cardholder data environment.
Proper network segmentation is crucial to reducing the overall scope. Ensuring all
systems that handle cardholder data are in secure network segments will facilitate
the isolation necessary for the cardholder data environment. This allows the merchant
to focus the proper resources and effort towards securing the reduced cardholder data

segmentation can be accomplished via the use of firewalls or routers and switches
with ACL’s (Access Control Lists). Frequently, a user or administrator may need access
to systems or data within the cardholder data environment, e.g., to perform support.
If a user or administrator requires access into the cardholder data environment from
the corporate network the optimal way of ensuring that the cardholder data environment
remains contained is by using two-factor authentication. This provides access to the
cardholder data environment with a significantly mitigated security exposure and allows
the PCI scope to remain contained.

Enterprise merchants who have a clear understanding of how PCI scope is defined are
at a significant advantage at assessment time. By accurately identifying the flow
of cardholder data through the overall enterprise network a merchant can streamline
the necessary network segmentation process, thereby reducing the overall financial
impact of undergoing a PCI assessment. While the prospect of making significant changes
to overall network architecture may seem daunting under the best of conditions, the
long term benefits far outweigh the initial “growing pains.” Once complete, the merchant
will not only be able to maintain compliance much more easily than before, the overall
security of cardholder data will be dramatically increased.

And that benefits everyone.