PCI DSS – Strategically De-scoping

When it comes to Payment Card Information (PCI) compliance, one of the typical pit falls I have seen over and over again is organisations jumping straight into assessment and remediation of PCI DSS risks, without time to pause and reflect on how to strategically de-scope the impacted IT infrastructure so that PCI DSS can become much more manageable but also much cheaper to maintain over the longer term.

In essence, strategically de-scoping refers to the evaluation of an organisations payment journeys to then rationalise and remove as many superfluous journeys and processes as possible. This simplification has a number of desirable effects;

  1. Cost Reduction – reduces the number of processes and systems that payment card information flows through and as a result, reduces the amount of money that needs to be spent on annual audits or pre-QSA type assessments.
  2. Risk Reduction – it significantly reduces risk as the attack surface is being made considerably smaller. i.e. number of processes, systems, applications, etc. being used to store or process card information is reduced.
  3. Easier Ongoing Management – for example, if payment information is only flowing through two customer journeys (e.g. website and mobile) both of which use the same business processes, the ongoing management of the security of the systems within this process is considerably improved. For every single system or process that is de-scoped from PCI DSS, that is another area of the business/group of stakeholders that need to be engaged with.

There are a number of ways organisations can strategically de-scope their PCI estate. Firstly, the most preferable (but most invasive) is to completely outsource the handling of payment card information to an external payment gateway, where payment details are passed directly from the customer to the payment gateway. This significantly reduces the need to store and process payment information internally, but it does also require the greatest amount of change if you already have payment card information widely dispersed within your business.

The second option is to simply perform a payment journey review. Typical payment journeys include;

  • Website
  • Mobile
  • Telephone/Call Centre
  • Via a Third Party Supplier

It might be that within a particular journey, there is considerable duplication of systems and processes that are using credit and debit card information. This is essentially an exercise in rationalisation, looking at what is business critical and getting rid of everything else.

There are other methods of achieving the same thing but hopefully these two examples give you an idea of why we would recommend performing an exercise like this to de-scope the PCI landscape before even considering remediation activities and plans.