1. Eliminate or Reduce cardholder data to Minimize PCI Exposure
Outsourcing payment card processing functions to a third-party service provider is an best practice to reducing the size of a payment environment, reducing the PCI compliance burden, and thereby the potential risk to the organization. One such outsourcing solution involves forwarding transactional data directly to a third-party from the initial “swipe” through settlement and chargeback. With the subsequent authorization and settlement process handled by a third-party, the organization may be able to remove most payment data and systems from their environment, eliminating many of the PCI DSS requirements from their scope. It is important to note that although an organization may outsource its payment processing functions; it will still have PCI compliance obligations. Organizations will be required to have a contractual agreement with the service provider that obligates the third party to comply with the PCI DSS and to ensure payment card data is protected within its environment. Other requirements may still apply if PCI-relevant data flows back into the organization’s environment and if the merchant accesses PCI-relevant data in the service provider’s environment.
2. Consolidate & Centralize Payment Processing Environment
Many organizations’ maintain a multitude of disparate applications, systems, and technologies that process, store, or transmit payment card data within their environment. Centralizing & Consolidating payment card processing systems and associated data can have significant benefits for organizations’, such as increased efficiency of transaction processing reduced operational and compliance costs, and reduced risk associated with the retention of payment card data. By consolidating payment card environment, organizations can eliminate many of the applications from the scope of PCI compliance as they would not store, process or transmit payment card data.
3. Tokenize Credit Card numbers instead of Encryption
Tokenization is a technology that enables a token to replace a credit card number in an electronic transaction. Tokenization replaces sensitive data with unique identification symbols that retain all the essential information without compromising its security. Tokenization may be a viable option for PCI scope reduction for companies with legacy systems that do not support encryption solutions, and for organizations that maintain distributed (often complex) payment environments that pass payment card data among multiple systems. The benefit of tokenization approach is that it centralizes all of the actual cardholder data into one giant lookup table and appropriate access controls can be applied to protect it from unauthorized access. It also eliminates the downstream applications from the purview of PCI compliance as these applications would not be storing or processing or transmitting credit card number. The hard part about tokenization is that applications needs to be modified to deal with this reference number like it would deal with a credit card number.
4. Use Network segmentation to reduce scope of PCI Audit
Network segmentation is the process of using both virtual and physical separations of systems to limit their use to authorized users. Segmentation of the cardholder data environment can significantly reduce the scope of PCI DSS. Network segmentation reduces scope from “anyone with access to the Corporate/store network” to “users approved for accessing cardholder data environment”. It also reduces the inclusion of all non-payment card applications in any future SAQ or on-site assessment.