SCOPE SCOPE SCOPE (REDUCTION…)
PCI DSS is comprised of more than 200 requirements. Each and every requirement applies to each and every component that is included within the cardholder data environment. The math is simple – the more robust and complex your network AND the more you distribute credit card information among your IT systems and through network components, the more you grow in scope of PCI DSS audit.
Try to do everything in your hands and reduce the business need to save credit card data, you can do it if you live by the motto “if you don’t need it don’t save it”. Another way is to create network segmentation and to isolate the card holder data in separated, controlled and monitored environments.
In my opinion, scope reduction workshops and discussions should be the first items on the discussion table whenever a PCI DSS compliancy projects sets off. It is imperative to gather the resources and skillful personnel from various business units and IT divisions in order to form an acceptable policy for cardholder data storage locations and transmission flows. For instance, you might discover that 6 first digits and last 4 digits plus another time stamp or transaction ID are sufficient for you to allow verifications, investigations and inquiries by your customers or merchants.
You might also discover that instead of storing full credit card number on your POS device you may only keep a salted hash value of your specific lists of cards (membership cards usually), for your local verification and authentication of the card. As salted hash values are not considered sensitive information by the PCI council’s decree this might help you lessen the burden on your retail shops that have the main focus of ongoing operational work with minimal interference for the sake of all parties involve (no customer wants to have to wait too long in line).
Ben, Ben Aderet – Co Founder of GRSee Consulting