Saving Money with a PCI-DSS Scope Reduction

Protecting personal and financial information is paramount to the well-being any individual or organization. With new threats of data breach emerging every year, such as “ransomware cocktails,” this critical task has become extremely complex. Payment Card Industry (PCI) regulations, referred to as the Data Security Standard (DSS), mandate specific protective procedures and devices as the scope of potential exposure expands.

PCI DSS Defined

The PCI DSS serves as a set of guidelines and standards for businesses that use and accept payment cards, such as credit, debit, and cash cards. Ultimately their purpose lies in protecting cardholders from fraud and theft. It has six major objectives:

  • Establish a secure network for information use and storage
  • Protect cardholder personal and financial information, generally via encryption
  • Use anti-spyware, malware, and ransomware programs
  • Control access to the system, particularly areas of data storage
  • Monitor and test systems regularly
  • Create and follow a viable information security policy

However, with the help an expert, an organization’s PCI scope can be lessened resulting in decreased costs and reduced risk.

The challenge lies in reducing the scope of payment card information exposure. The smaller the scope, the fewer protections your business will need to provide.

4 Tips on Reducing PCI-DSS Scope

• Do Not Store Personal Account Numbers

One sure way to reduce scope lies in never storing personal account numbers, known better in the industry as PAN.

For many traditional businesses, this will pose no problem. Retailers such as stores and gas stations have no need to store PAN and can delete the entry as soon as the transaction finishes, or after a fixed period.

Other businesses, especially online retailers, store PAN and other information as a courtesy to their customers.

Small online businesses will find that PCI DSS standards may become difficult to meet and afford and must work to reduce their scope. Many have chosen to bypass card use in favor of money transfer apps and avoid the extra expense.

• Audit System to Reduce or Eliminate Unnecessary PAN

Businesses with extensive systems especially need to conduct regular system audits. PAN tends to “migrate” into areas where it should not be. Every time a piece of personal or financial data ends up in another part of your system, it expands the scope.

Maintain regular audits and data discipline to keep PAN corralled in limited and designated areas.

• Outsource PCI Strategy to an Expert

Another way to reduce exposure lies in working with a PCI expert with a superior track record of designing, assessing and auditing PCI relevant networks. Smaller organizations will especially benefit from such an engagement as they typically are operating with smaller budgets and less sophisticated resources.

• Network Segmentation to Reduce System Exposure

Another effective way to reduce scope lies in establishing network segmentation. Data storage devices and programs get cut off from the main system part or all of the time. When you cut data off from systems that allow outside access and put it in a silo, this can help prevent both breaches and unwanted migration.

Even this is not foolproof. The National Security Agency completely segmented off in house created malware. An insider walked out with the whole cache of information and spread it online. Limiting personnel access is just as important as segmenting the system itself.

Reach out today to learn more about how to save money and time by reducing your PCI DSS scope.

Interactive Security, Inc. has been at the forefront of providing industry leading expert information technology security services to clients across the globe – focused on IT Security Auditing & Compliance.


Vulnerability / Penetration Assessments ~ Application Security ~ PCI DSS ~ HIPAA ~ HiTRUST ~ ISO 27001 ~ FEDRAMP ~ FISMA/NIST ~ GDPR ~ Privacy Shield

Shawn Corrigan

Shawn Corrigan is the President and Founder of Interactive Security Holdings Inc. Interactive Security has grown into a global company offering IT Compliance Auditing services for small to large companies - focused on making it obtainable, simple and affordable. With over 20 years in the BPO and Financial industry working at the executive level, Corrigan has experienced the pitfalls, trials and tribulations of bringing an enterprise organization into IT compliance. Corrigan has designed a methodology geared at guiding clients of any size to successfully achieve compliance and ultimately obtain compliance certification. Corrigan is certified as a FISMA – NIST Implementor, PCI-DSS QSA, HiTRUST Certified Practitioner and HiTRUST Certified Quality Professional, ISO 27001 Lead Auditor and Implementor