Any organization that accepts, processes, stores or transmits payment cards must show they’re compliant with the Payment Card Industry Data Security Standard (PCI DSS), and to do that, the organization must undergo an annual PCI assessment.
This assessment, or audit, is meant to confirm that the organization meets the PCI DSS security and control requirements.
Although the standards are prescriptive, how they fit into each organization can vary as the people, processes and technologies used to handle payment card data in each organization are unique.
As a result, each organization must scope its PCI assessment to ensure it’s considering all the pieces of its infrastructure and internal structure that handle or can in any way access payment card data.
“Scoping is understanding all the pieces that need to be assessed; it’s looking at the people, technology and processes that touch the card data,” says Gracie Pereira, a managing director of cybersecurity and privacy at Accenture, with a focus on the financial services industry.
Although it might sound straightforward, scoping a PCI assessment can challenge even experienced organizations, experts say. They note that it’s not uncommon for executives to miss places within their enterprise that connect with payment card data in some way — and thus may inadvertently exclude those places from the assessment and, perhaps more importantly, may exclude them from the needed security standards and controls.
For instance, some organizations may mistakenly think that if their call centers only take but don’t store payment card data that those systems are outside the scope of the assessment. Or they might not consider their voice recordings of payment card transactions as systems that need to be secured according to PCI DSS.
“Some assume just because payment card data flows through that they don’t have to be PCI compliant,” says Andi Baritchi, a director with KPMG’s Cyber Security Services and its PCI lead director, noting that this kind of faulty thinking can cause big problems. “Improper PCI scoping has been a key contributor to a lot of breaches.”
To help avoid such missteps, experts offer the following advice for scoping a PCI assessment:
Start with a self-assessment to determine requirements
Any organization with a merchant number, which is issued by the organization’s payment processor, will need to be PCI compliant.
However, assessment requirements vary based on the annual volume of transactions processed by a merchant (as the organizations handling the payment card data are known in the PCI world).