Problem solve Get help with specific problems with your technologies, process and projects.

How to reduce PCI DSS security scope for an audit

PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security scope.

Do you have any advice/best practices on what a security manager can do to cut down on the number of in-scope devices for PCI DSS compliance?

While I'm no QSA, there are two main ways I can think of to do this. The first way is to outsource as much of the payment processing as possible. This has the added advantage of not only reducing the scope of systems, but also of limiting the number of places from which data can accidently leak. This won't absolve you completely from PCI DSS compliance (the only way to do that is to stop accepting credit cards entirely), but it can make your life a lot easier in the long run. It does mean however that you will have an obligation to monitor your outsourcer to ensure they remain PCI DSS compliant. Fortunately, this requires significantly much less effort than actually maintaining compliance yourself.

The other option is to consolidate your credit card processing/management infrastructure into as compact a footprint as can be sensibly managed. For instance, this would mean segregating systems in where you have a system (which could be a single computer or multiple computers) hosting a PCI-related application along with non-PCI DSS applications.

Alternately, if you can't reduce the number of boxes your PCI DSS applications are hosted on, reallocating the boxes so they are only hosting PCI DSS-related data will allow you to isolate those systems to a much greater degree and limit scope creep during your assessment.

For more information:

This was last published in January 2010

Dig Deeper on PCI Data Security Standard

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.