Sunday, October 10, 2010

Reposted: On Scope Shrinkage in PCI DSS

Note: this was written as a guest post for Branden Williams blog (my co-author for the “PCI Compliance” book) – it is reposted here for posterity.

People who came to PCI DSS assessments and related services (such as compliance gap analysis and even implementation of PCI controls) from doing pure information security often view PCI scope reduction as “a cheap trick” aimed at making PCI DSS compliance undeservedly easier. They only think of scope reduction as of limiting the area where PCI DSS security controls apply - with negligence, supposedly, reigning supreme outside of that sacred area.

However, PCI DSS scope shrink is not just a cop out aimed at not protecting the data. It is not just “PCI project cost reduction” measure. Some half-witted analysts propagate this view by saying things like “by reducing the scope, these enterprises can dramatically lower the cost and anxiety of PCI DSS compliance and significantly increase the chance of audit success” [eh… for starters, PCI on-site assessment is not an audit, stop calling it that!] Well, you will get that – but it is not the point of scope reduction at all.

In reality, efforts to reduce the area of PCI DSS applicability – scope reduction – are one of the most effective ways to reduce the risk of cardholder data theft.

Like we say in our PCI book (Chapter 5, “Protecting Cardholder Data”):
“Before we even start our discussion of data protection methods, we need to remind you that “the only good data is dead data.” Humor aside, dropping, deleting, not storing and otherwise not touching the data is the best single trick to make your PCI DSS compliance easier as well as to make the transaction less risky, reduce your liability, chance of fines and breach notification losses.”
If you’d like, think of scope reduction as one of the manifestation of the “least privilege” principle – or least data needed to do business principle. You stop the spread of card data and thus become a more compact, harder to hit target.

Along the same line, tokenization, data vaults, virtual terminals, hashing, network segmentation, transient PAN storage all reduce scope and reduce risk – at the same time. These are the things that make PCI compliance easier WHILE reducing the risk of damaging compromise. So, reduce scope by changing business process – it will bring more security benefits than THAT FIREWALL you deploy.

And remember that fable about somebody asking a QSA firm that was planning to accept payment cards as payment for PI assessments (oh irony!) – how would they do it?: “What?! Of course we’d outsource it! We won’t touch that toxic [card data] shit”

Dr Anton Chuvakin