While I'm no QSA, there are two main ways I can think of to do this. The first way is to outsource as much of the payment processing as possible. This has the added advantage of not only reducing the scope of systems, but also of limiting the number of places from which data can accidently leak. This won't absolve you completely from PCI DSS compliance (the only way to do that is to stop accepting credit cards entirely), but it can make your life a lot easier in the long run. It does mean however that you will have an obligation to monitor your outsourcer to ensure they remain PCI DSS compliant. Fortunately, this requires significantly much less effort than actually maintaining compliance yourself.
The other option is to consolidate your credit card processing/management infrastructure into as compact a footprint as can be sensibly managed. For instance, this would mean segregating systems in where you have a system (which could be a single computer or multiple computers) hosting a PCI-related application along with non-PCI DSS applications.
Alternately, if you can't reduce the number of boxes your PCI DSS applications are hosted on, reallocating the boxes so they are only hosting PCI DSS-related data will allow you to isolate those systems to a much greater degree and limit scope creep during your assessment.
For more information:
- Learn more about implementing PCI network segmentation.
- Smooth out your relationship with your auditor with these expert tips.
Dig Deeper on PCI Data Security Standard
Related Q&A from David Mortman
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ... Continue Reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ... Continue Reading
Learn when Social Security numbers can be used for patient identification without violating HIPAA patient confidentiality requirements. Continue Reading