Whether you’re a player in the payments space or a business processing credit cards, you’ve heard of Payment Card Industry (PCI) compliance. With the intention to optimize security around credit and debit card transactions and protect cardholder information, all parties involved in facilitating a transaction fall within PCI scope. This includes any system components connected to the cardholder data environment (CDE).
Processing credit cards can involve many different components, so PCI scope varies depending on the breadth of an organization's CDE. Because of this, many businesses are unaware of the components they are responsible for and which even fall within scope. Bottom line, anything that stores, processes or transmits cardholder data must be PCI compliant.
Components Within PCI Scope
The PCI Security Standards Council defines scoping as “ … the identification of people, processes, and technologies that interact with or could otherwise impact the security of the cardholder data (CHD).” An easy way to identify these components is by understanding how cardholder data flows.
Networks are comprised of physical connections, such as Ethernet, wireless connections like Bluetooth and virtual connections like firewalls. All of these are used, in combination, to communicate information between computers, servers and applications. Sounds like any business using modern technology is within scope, right? That’s true, which is why network segmentation exists.
Segmentation prevents “ ... out-of-scope systems from being able to communicate with systems in the CDE or impact the security of the CDE.” This can be done by isolating where cardholder data is stored. Servers provide services to other programs or devices, one of which is storing data. Cardholder data can either be stored on a business's server, putting it within scope, or on the provider's server. Where data is stored is contingent upon the type of software used to process the transactions (more on that later).
Applications intake cardholder data, so they’re always within scope. These include retail and mobile point-of-sale (POS) systems, Virtual Terminals or Payment Gateways, e-commerce websites and management softwares (i.e., patient management systems). With the number of integrations available to streamline workflows, it can be easy to overlook which are within scope.
Applications should implement a security standard to secure cardholder data. A decent solution is point-to-point encryption (P2PE) which “ … encrypts data from the point of interaction (for example, at the point of swipe or dip) until the data reaches the solution provider’s secure decryption environment.” However, an ideal application uses tokenization. Integrating a P2PE solution provider (a.k.a. a Payment Gateway or Virtual Terminal) with a POS, e-commerce site or management software will reduce the PCI scope of your business, whereas tokenization can eliminate it.
As we stated before, the software used to process transactions affects PCI scope. Some payment processing softwares are native, which use middleware. Native software must be downloaded to your servers, which puts your services within the CDE and subjects your business to annual audits for PCI compliance.
Using a cloud-based software removes your servers from scope because cardholder data is stored on the provider’s servers. With data encryption, your business is able to remotely access the encrypted data via the cloud.
Know Your PCI Scope
The majority of businesses subject to PCI are only required to self-report on compliance via a self-assessment questionnaire (SAQ), but that doesn’t mean PCI scope should be ignored. If any component is overlooked, your business could take a big financial hit. You’re responsible for stolen card data if your system is compromised, resulting in fines for each card breached plus a major delay in regular sales.
Understanding the extent of the CDE at your business will protect both you and your customers. Small businesses can follow best practices established by the PCI Security Standards Council. Larger businesses should consider awareness training for their staff and get familiar with the level of compliance they are subject to. It’s never too late to up your PCI game. Get started today.
Need help verifying if a component is within scope? Leave a comment below – we’d be happy to help you out!