Because the scope of PCI DSS requirements can be so large and complicated, companies are constantly searching for ways to reduce and even eliminate it. Below are five ways businesses can potentially reduce the size of their PCI DSS scope.
- Consolidation:Identifying and eliminating redundant data sets and consolidating applications and information storage can reduce scope.
- Centralization:Encrypted data stored in a highly secure on-site central data vault. The payment card numbers are replaced with tokens in other applications or databases. Since cardholder data is only stored in one central location, PCI DSS Scope is minimized
- End-To-End Encryption (E2EE) or Point-To-Point Encryption (P2PE):Ensures that card numbers are encrypted from first card swipe at the point-of-sale (POS), and while in transit all the way to the payment processor eliminating most PCI requirements.
- Outsourcing:Outsourcing all or some of your payment card processing capabilities to a PCI DSS compliant service provider can reduce PCI scope. This is especially relevant to companies conducting eCommerce transactions only.
- Tokenization:Stores card numbers and other sensitive data such as social security numbers in an off-site highly secure data vault. The payment card numbers are replaced with tokens in all other databases and applications. Not storing cardholder data anywhere greatly simplifies the scope of PCI Requirement.
These 5 steps can simplify PCI compliance for POS-centric and card-not-present (CNP) environments, but choosing the best method for your company will depend on the level of security you are looking to achieve. For example, the first two techniques mentioned will minimize the scope of PCI Requirement 3, but will not eliminate it. Card numbers will still be stored on-site, giving access to all sensitive data if a hacker does decrypt your information.
Your next layer of protection will be utilizing a third party tokenization solution. Tokenization is a solution that affords business the opportunity to eliminate the storage and/or transmission of cardholder data in enterprise systems and applications. Implementing tokenization can make reaching compliance much easier than replacing an existing application with a PA-DSS compliant one, according to Verizon’s Business report.
If you are searching for the complete package, a combination of a third party tokenization and a point-to-point encryption P2PE solution will get you closest to completely eliminating your PCI scope depending on your current payments landscape. Utilizing P2PE will remove your entire network and PCs by tokenizing card numbers before they ever touch your network.
If you have questions regarding PCI DSS Compliance or Tokenization solutions, please contact us to schedule a time to speak with one of our Payments Industry Experts.