PCI 360° Digest "How do I reduce my scope?"

Agio’s PCI 360° Digest is a monthly update on industry trends, as well as what we’re seeing among our clients and partners. The goal is to keep you up to speed at all times, eliminating any potential blind spots. 

As we begin to execute 2017 spend, our clients are asking the question, "How do I reduce my scope?" We get it; there's only so much to go around.

Let's kick it off with network segmentation of your cardholder data; specifically separating it from the remainder of your environment. Easier said than done, yes, but the result ensures no user, system, or application has access to those that process, store or transmit cardholder data. It gets more complicated, of course, but at the end of the day the short answer is, any system involving cardholder data needs to be in scope...which means any system not involving cardholder data can, for all intents and purposes, remain out of scope. Poof, gone, like it doesn't exist (from a PCI assessment standpoint). 

Encryption is your next go to strategy to reduce scope. Simply put, encryption helps prevent someone without access to encryption/decryption keys from accessing the data. Those who do have access to encryption keys, however, are the ones responsible for that data. From this perspective, think about third-parties who may be storing or transmitting your data. Their systems need to be in scope if they control access and/or have the keys. If not, consider them de-scoped and treat them like an untrusted link in the chain.

It's worth stating, no two environments are the same, and this can be a challenge without the help of a QSA. If you find you're struggling to properly scope your environment, let us know, and perhaps we can assist. 

Should you have any questions about our digest, feel free to contact me directly at [email protected]. We’ve got you covered.