Any organization that accepts, processes, stores or transmits payment cards must show they’re compliant with the Payment Card Industry Data Security Standard (PCI DSS), and to do that, the organization must undergo an annual PCI assessment.
This assessment, or audit, is meant to confirm that the organization meets the PCI DSS security and control requirements.
Although the standards are prescriptive, how they fit into each organization can vary as the people, processes and technologies used to handle payment card data in each organization are unique.
As a result, each organization must scope its PCI assessment to ensure it’s considering all the pieces of its infrastructure and internal structure that handle or can in any way access payment card data.
“Scoping is understanding all the pieces that need to be assessed; it’s looking at the people, technology and processes that touch the card data,” says Gracie Pereira, a managing director of cybersecurity and privacy at Accenture, with a focus on the financial services industry.
Although it might sound straightforward, scoping a PCI assessment can challenge even experienced organizations, experts say. They note that it’s not uncommon for executives to miss places within their enterprise that connect with payment card data in some way — and thus may inadvertently exclude those places from the assessment and, perhaps more importantly, may exclude them from the needed security standards and controls.
For instance, some organizations may mistakenly think that if their call centers only take but don’t store payment card data that those systems are outside the scope of the assessment. Or they might not consider their voice recordings of payment card transactions as systems that need to be secured according to PCI DSS.
“Some assume just because payment card data flows through that they don’t have to be PCI compliant,” says Andi Baritchi, a director with KPMG’s Cyber Security Services and its PCI lead director, noting that this kind of faulty thinking can cause big problems. “Improper PCI scoping has been a key contributor to a lot of breaches.”
To help avoid such missteps, experts offer the following advice for scoping a PCI assessment:
Start with a self-assessment to determine requirements
Any organization with a merchant number, which is issued by the organization’s payment processor, will need to be PCI compliant.
However, assessment requirements vary based on the annual volume of transactions processed by a merchant (as the organizations handling the payment card data are known in the PCI world).
For example, some organizations need to engage a Qualified Security Assessor (QSA) — an independent security company qualified by the PCI Security Standards Council to validate an organization’s adherence to PCI DSS — while others can use an Internal Security Assessor (ISA) program.
Similarly, organizations will need to determine which PCI Self-Assessment Questionnaire (PCI SAQ) could apply to them based on their own payment card volume and processes.
There are four PCI compliance levels: Level 1 applies to merchants that process more than 6 million card transactions a year, level 2 is for those processing 1 to 6 million annually, level 3 is for those handling between 20,000 and 1 million, and level 4 is for those processing fewer than 20,000 transactions annually.
Kathy Ahuja, who as vice president of global compliance and IT for the cloud-based identity and access management provider OneLogin is experienced in PCI assessment and compliance issues, says enterprise executives should begin their PCI scoping process by determining whether they qualify as a merchant or service provider, or both, and then determine the appropriate level based on number of transactions it handles annually.
“Then you really need to decide how your policies and procedures align with the PCI standards; you need to align your internal controls to meet the PCI categories of controls,” she says.