Reducing an organisation’s PCI scope should be a major priority for IT managers. Let’s take an in-depth look at PCI DSS scope reduction:
Why reduce your PCI footprint?
It’s quite simple: if an organisation managed to shrink their ‘footprint’ (that is, the amount of cardholder information that’s found in their possession), then there’s less data to be audited.
- Auditing costs are kept down
- Stress is minimised
- Regulation updates are less likely to affect processes
- Security breaches are less likely
- The chances of failure are reduced
If an organisation can reduce its PCI scope from SAQ D to SAQ C, auditing costs can be cut by up to 75%.
Read more: 5 PCI Compliance Myths
How to reduce PCI scope
There are a number of ways to bring your organisation’s PCI scope down:
- Limit which departments can see credit card data
- Limit the type of data departments can see
- Limit card storage in physical stores
- Use tokenisation
- Outsource all credit card information completely
Limit which departments can see credit card data
How much card information is shared across your organisation? There are some companies that allow marketing, customer service or CRM departments to handle or see credit card data, even when they don’t need to.
On a very basic level, the more people that can potentially see personal customer information, the wider your scope is. Neira Jones, head of payment security at Barclaycard, explains the approach in more detail:
She said: “Our advice always is to reduce the cardholder data environment as much as possible. If a department doesn’t need the data, then don’t let them have it. This approach reduces the scope of PCI compliance – and also drastically reduces the chances of card information going astray.”
How can you stop unnecessary departments from seeing the protected information? Ensure that personal data is shared on specific protected networks away from regular information, and that it’s encrypted at all time s.
Limit the type of data departments can see
Nevertheless, there are some people in your organisation that will need to see customer information. Marketing departments, for instance, will be hamstrung if they aren’t able to analyse customer databases and see how relevant population groups behave.
Likewise, technical support teams may need some payment information to verify customers’ identities.
This information, however, doesn’t have to consist of credit card information – or certainly not all of it. To reduce PCI scope, it’s recommended that marketing departments and customer support advisors see, at the very most, truncated card information.
This allows them to do their work, without being privy to information that’s of real interest to malicious third parties.
Limit card information in physical stores
In physical shops and retail outlets, where customers hand over payment information freely, PCI compliance can be problematic. However, if your organisation has a method to encrypt card details at the point of purchase then your physical PCI footprint is kept to a minimum.
By incorporating a system that eliminates credit card information from the purchasing process, you’re effectively safeguarding your organisation from four of the twelve PCI requirements.
Tokenisation, a process which exchanges payment information for a surrogate ‘token’ to be used in place of the card data, ensures that sensitive information is kept safely in one place. By significantly reducing the number of locations where cardholder information is found, the scope of an organisation’s PCI audit is greatly reduced.
The general rule of PCI scoping is: if you can outsource the card data in a way that eliminates your organisation from the payment process, then do it.
That’s why so many organisations choose to work with third parties who use their own systems to handle payment information. For a fee, the stress and worry of PCI – not to mention the security of potentially millions of customers – can be transferred to a PCI DSS expert that knows how to store and transmit sensitive payment data. This process is similar to tokenisation, but trades on the expertise of the provider to keep data safe.
It’s true that this method involves trusting a third party to stay on the right side of the PCI DSS, but it’s much more preferable to going it alone. Working with a PCI compliant file sharing provider means that your customers’ data is in their hands and is their responsibility – as well as yours.
How Maytech’s PCI compliant hosting helps businesses
Maytech works with a number of top brands in finance and banking to provide ultra-secure, PCI compliant data transfer. Find out more about our data transfer for financial organisations today.
Using centralised processes, data encryption as standard and secure transfer protocols that abide by all PCI DSS recommendations, Maytech’s data transfer tools allows businesses to collect and use customer data simply and safely.
We’re ISO 27001 accredited and have a PCI SAQ level D – perfect for reducing your PCI scope.
Find out more about our PCI compliant data hosting today.