Ask the Expert

How to reduce PCI DSS security scope for an audit

Do you have any advice/best practices on what a security manager can do to cut down on the number of in-scope devices for PCI DSS compliance?

    Requires Free Membership to View

While I'm no QSA, there are two main ways I can think of to do this. The first way is to outsource as much of the payment processing as possible. This has the added advantage of not only reducing the scope of systems, but also of limiting the number of places from which data can accidently leak. This won't absolve you completely from PCI DSS compliance (the only way to do that is to stop accepting credit cards entirely), but it can make your life a lot easier in the long run. It does mean however that you will have an obligation to monitor your outsourcer to ensure they remain PCI DSS compliant. Fortunately, this requires significantly much less effort than actually maintaining compliance yourself.

The other option is to consolidate your credit card processing/management infrastructure into as compact a footprint as can be sensibly managed. For instance, this would mean segregating systems in where you have a system (which could be a single computer or multiple computers) hosting a PCI-related application along with non-PCI DSS applications.

Alternately, if you can't reduce the number of boxes your PCI DSS applications are hosted on, reallocating the boxes so they are only hosting PCI DSS-related data will allow you to isolate those systems to a much greater degree and limit scope creep during your assessment.

For more information:

This was first published in January 2010

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: