Q

How to reduce PCI DSS security scope for an audit

PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security scope.

Do you have any advice/best practices on what a security manager can do to cut down on the number of in-scope devices for PCI DSS compliance?

While I'm no QSA, there are two main ways I can think of to do this. The first way is to outsource as much of the payment processing as possible. This has the added advantage of not only reducing the scope of systems, but also of limiting the number of places from which data can accidently leak. This won't absolve you completely from PCI DSS compliance (the only way to do that is to stop accepting credit cards entirely), but it can...

make your life a lot easier in the long run. It does mean however that you will have an obligation to monitor your outsourcer to ensure they remain PCI DSS compliant. Fortunately, this requires significantly much less effort than actually maintaining compliance yourself.

The other option is to consolidate your credit card processing/management infrastructure into as compact a footprint as can be sensibly managed. For instance, this would mean segregating systems in where you have a system (which could be a single computer or multiple computers) hosting a PCI-related application along with non-PCI DSS applications.

Alternately, if you can't reduce the number of boxes your PCI DSS applications are hosted on, reallocating the boxes so they are only hosting PCI DSS-related data will allow you to isolate those systems to a much greater degree and limit scope creep during your assessment.

For more information:

This was first published in January 2010

Dig deeper on PCI Data Security Standard

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close