When discussing the Payment Card Industry Compliance Data Security Standards (PCI DSS), customers often ask us if there's a way to avoid it altogether, or at least reduce what's in scope. That's understandable, given how overwhelming the PCI compliance requirements may seem, and the fact that many organizations see it as a burden to meet and maintain the requirements on an ongoing basis. But is it possible to avoid PCI compliance, and if so, what are your options? If not, what can you do to reduce what's in scope? If you do reduce what's in scope, why is it still important to understand the intent of the PCI DSS requirements?
To better understand the issues, I consulted some of Dell SecureWorks' PCI compliance experts. PCI compliance scoping is an oft-discussed challenge, and there are different opinions on how to address it, but one thing they all agreed on was that the only way for merchants to avoid PCI compliance entirely is to not take payment cards. For most organizations, that is not a realistic option. With the burgeoning popularity of Square and similar devices that utilize smart phones, consumers have come to expect even the smallest of merchants to accept payment cards.
You may also be able to limit PCI compliance if you're an ecommerce-only merchant and outsource the payment process entirely through a third party, although you will still need to complete a PCI Self-Assessment Questionnaire (SAQ). This means that you could not accept payment card information over the phone, through a call center or through emails, though. The entire transaction must be processed by the third-party vendor - including the web form which collects payment card information. In most cases, though, this would only apply to smaller merchants, as most large merchants handle at least some of the payment process on their own website.
If neither of these scenarios applies to your organization, however, there are still options to consider.
According to Michele Zoerb, CISSP, CISM, CRISC, PMP, a Senior Manager, Security Systems at Dell SecureWorks, "Merchants that take payment cards can't avoid PCI compliance altogether, but there are ways they can reduce what's in scope. PCI DSS specifically says that 'PCI DSS applies wherever account data is stored, processed or transmitted'."
She added, "If a merchant wanted to reduce their scope as much as possible, they could utilize a combination of various methods to help them do this. They could utilize a payment processor or terminal that was already PCI (PA-DSS) certified, outsource their cardholder data environment (CDE), and make sure all their internal processes and policies were established and enforced according to PCI requirements."
It's important to note, though, that the CDE, as defined by PCI compliance, is not just the systems. The PCI DSS states that "The cardholder data environment is comprised of people, processes and technology that handle cardholder data or sensitive authentication data." "So an outsourced CDE would not eliminate the requirement of being PCI compliant," Michele pointed out. "The merchant would still need to address their people and processes internally - and all technology that was used to connect to or transmit to the CDE."
Another one of our QSA experts, Paige Stauffer, CISA, CGEIT, CRISC, QSA and Security Senior Principal Consultant, brought up tokenization, in which the POS system converts credit card numbers into randomly-generated values (tokens).
"Tokenization can potentially reduce what's in scope, but depending on the environment, it can also be very time consuming and cost-prohibitive," Paige said. "In addition, it doesn't relieve merchants from other aspects of PCI compliance, including the aforementioned people and processes. Another alternative is to limit the use of technology by using only analog fax lines and keying payment card information manually into POS terminals, then redacting and shredding the paper records. This is not a very practical solution for most modern organizations, however." Many POS terminals are still quite vulnerable to compromise, too, as recent large data breach incidents have demonstrated.
Point-to-Point Encryption (P2PE) is another option to potentially reduce scope, Paige suggested. A P2PE solution is provided by a third party. It combines secure devices, applications and processes that encrypt data from the point of transaction until the data reaches the solution provider's secure decryption environment. The PCI Council states, however, that "While use of a validated, listed P2PE solution can help to reduce the scope of a merchant's cardholder data environment, it does not remove the need for PCI DSS in the merchant environment. The merchant environment remains in scope for PCI DSS because cardholder data is always present within the merchant environment."
For the vast majority of merchants, there's no avoiding PCI compliance. There are options for organizations to reduce what is in scope for compliance, however. The fact is that even if you reduce what's in scope for PCI compliance, it is still important to understand the intent of the requirements. The PCI requirements are designed to protect customer data, but they can also serve as a baseline for a much more comprehensive information security program to help your organization address a wider range of security issues.
What about your organization? Have you considered any of these options for reducing what's in scope for PCI compliance? If so, what has been successful? Do you think it's possible to reduce what's in scope while still building a robust security program?