5 ways to reduce the scope of your PCI compliance program.

1. PCI: Shrink to Fit

2. A simple, easy to use, online, B2B procurement
portal for purchasing products and services to
identify, minimise and manage the security
threat to business data.
www.riskfactory.com

3. Cheap
Fast
Good

4. The Standard

5. Applies
• Any systems that process, store or transmit
cardholder data (credit or debit)
• Any systems that connect to them

6. #1 Discover &
Document
• Conduct inventory: hard & softcopy card data
• Can’t shrink what you have not measured
• What do you have & Where do you have it?
• Run discovery software across internal network
IPs
• Create network diagram depicting card data
flow
• Heat map: processes, stores & transmits
• Establish hardware asset register
• Results = Card Data Environment (CDE)

7. Discover & Document

8. Leakage
Laptop / Desktop
Server
CD / DVD
Piggybacking
USB iPod
Dumpster (Skip) Diving
Social Engineering Memory Stick
Contractors
Road Apple PCMCIA
Eavesdropping Memory Card Readers
Bluetooth
Endpoint
Communication Infrared
Databases
Firewire
File Systems
Serial / Parallel Ports
File Servers
NAS Data-At-Rest Virtual Machine
SANs / iSCSI Storage Screen Scrapers
Voice Mail Data Loss Trojans
Other Threat Vectors
Video Surveillance Key Loggers
Phishing / Spear Phishing
E-Mail
HTTP/S Printers
SSH Backup Tapes / CD / DVD
FTP Laptop / Desktop / Server
Data-In-Motion
IM Fax
VoIP
Physical Photocopier
P2P Mobile Phone / PDA
Blogs Digital Camera (incl. Mobile Phone Cameras)
Incorrect Disposal
Printed Reports

9. #2 Destroy & De-Scope
• Both hard & soft copies
• If you don’t need it – delete it.
• Take your time. Use your CDE map.
• Stakeholders sign off
• Remember: VoIP & mail servers, MS Outlook
archives, fax, scanner & copier memory cards
• Include 3rd parties & back up systems
• Be ruthless

10. #3 Outsource &Oversight
• What can you outsource?
• Risk transference vs. risk mitigation
• Compliance requirement in SLA
• Should not be cost plus
• See proof (ask for copy of their RoC)
• Conduct annual onsite audit
• Still need program
• The liability is still yours

11. #4 Separate & Segment
• Led by “need to know”
• Always ask: Why?
• Should not be vendor led
• Firewall, VLAN, software…
• Subnets
• Wireless networks
• 3rd party suppliers!
“Any systems connected” to the CDE

12. Point to Point Encryption

13. Point to Point Encryption
• Card brand specific technology requirements
• PoS configuration requirements
• Bank-owned vs. Merchant-owned devices
• Compliance requirement in contract & SLA
• Who’s responsible for a breach?
• Still have compliance validation requirement

14. #5 Tokenise
• Can significantly downsize scope
• Card data replaced by “token” (surrogate value)
• Card data stored in centralised vault
• Servers processing, storing or transmitting card
holder data in scope
• Servers processing, storing or transmitting
surrogate values not in scope

15. Model

16. Tokenisation
• Where tokens and card data meet = in scope
• Tokenisation hosting solution critical
• Be careful of “hybrid” solutions
• See PCI Standards Council site for guidance
• Test the solution!
• This is no silver bullet
• Validation still required

17. 5 Ways to Reduce PCI
Discover & Document
Destroy & De-scope
Outsource & Oversight
Separate & Segment
Tokenisation

18. Best Way
Understand that the PCI DSS is a
“risk management framework”
Not a checklist

19. 26 Dover Street
London
United Kingdom
W1S 4LY
+44 (0)20 3586 1025
+44 (0)20 7763 7101(fax)