Because the scope of PCI DSS requirements can be so large and complicated, companies are constantly searching for ways to reduce and even eliminate it. Below are five ways businesses can potentially reduce the size of their PCI DSS scope.
- Consolidation: Identifying and eliminating redundant data sets and consolidating applications and information storage can reduce scope.
- Centralization: Encrypted data is stored in a highly secure on-site central data vault. The payment card numbers are replaced with tokens in other applications or databases. Since cardholder data is only stored in one central location, PCI DSS Scope is minimized
- End-To-End Encryption (E2EE) or Point-To-Point Encryption (P2PE): Ensures that card numbers are encrypted from first card swipe at the point-of-sale, and while in transit all the way to the payment processor and eliminates most PCI requirements.
- Outsourcing: Outsourcing all or some of your payment card processing capabilities to a PCI DSS compliant service provider can reduce PCI scope. This is especially relevant to companies conducting eCommerce transactions only.
- Tokenization: Stores card numbers in an off-site highly secure data vault. The payment card numbers are replaced with tokens in all other databases and applications. Not storing cardholder data anywhere greatly simplifies the scope of PCI Requirement.
All of the techniques outlined above are sound ways to reduce PCI DSS scope. Depending on the individual company’s payment acceptance environment, some of these may or may not be appropriate strategies. For instance, E2EE/P2PE is a great technology, but it is highly POS-centric. In card-not-present (CNP) environments, E2EE/ P2PE is difficult to achieve because card numbers must be manually entered into merchant systems and applications.
If a merchant were to have both card present and CNP payment acceptance landscapes, E2EE/P2PE and tokenization are a great tandem solution. But it’s important to understand that with centralization, card numbers are still stored on site, minimizing the scope of PCI Requirement 3, but not eliminating it.
The PCI DSS scope reduction technique that works best for most CNP merchants is a combination of the outsourcing and tokenization techniques described above. Tokenization is a solution that affords businesses the opportunity to eliminate the storage and/or transmission of cardholder data in enterprise systems and applications. Implementing tokenization can make reaching compliance much easier than replacing an existing application with a PA-DSS compliant one, according to a recent Verizon Business report.
To find out how your organization can simplify and reduce the scope of the Payment Card Industry’s Data Security Standard (PCI DSS) and benefit from outsourcing tokenization technology, please contact us.