The Business Case for Reducing PCI DSS Scope

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a mandatory set of security measures designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. This standard is crucial for protecting payment data and maintaining customer trust and is enforced primarily by acquiring banks and card brands.

Is PCI DSS Compliance Difficult?

Complying with PCI DSS can be daunting due to its complexity and required resources. Audits in the US, for instance, can be expensive, with costs varying significantly depending on the size and complexity of the environment being audited and penetration tested, but don’t be surprised at invoices north of $65,000. Beyond the financial aspect and licensing software, the implementation, ongoing maintenance, and monitoring of the required controls demand substantial time and effort from internal teams. The table below is an informed estimate of complexity and effort across the 12 PCI DSS requirements for a large eCommerce business that develops its code, processes, stores card data, and operates in its own data centre. The effort is aggregated across roles, including Network Admin, System Admin, DBA, Security Operations, Developers, Change Managers, Info Sec / Compliance and Payments teams.

For certain payment processing models, using Evervault would reduce this effort significantly, in most cases by 95% above across a much-reduced set of roles and covering basic security hygiene.  The stakes are high for card processing companies; a breach can lead to fines of up to $18 per compromised card, potential cessation of card processing capabilities by card brands, and severe damage to customer trust due to the theft of cardholder data (CHD). It’s worth remembering that Target settled their 2015 card breach for $39.4m and British Airways 2018 breach for $26m.

Approach to Compliance

The approach to PCI compliance varies by business type and necessity for handling card data. For many businesses, especially those not primarily in the financial sector, handling card data directly may not be essential. In such cases, reducing the PCI DSS scope becomes a strategic priority to minimise the compliance burden and reduce the risk of card breaches. There are also opportunities for FinTechs to minimise the likelihood of cardbreach, reduce scope and ease the compliance burden while maintaining control over the flow of card data for payment orchestration and optimisation.

Pros and Cons of outsourcing card data processing vs handling card data in-house:

Pros

• Reduced Scope for PCI DSS Compliance: Outsourcing card processing to a third party can significantly reduce the organisation's PCI DSS scope & importantly, the risk of a successful card data breach.
• Expertise and Efficiency
  Third-party processors often have specialised expertise in secure card processing, fraud detection, and compliance, which can enhance the security and efficiency of payment transactions.
• Cost Savings:
  Outsourcing can lead to cost savings by avoiding the capital expenditure and operational costs associated with setting up and maintaining an in-house card processing infrastructure.
• Focus on Core Business:
  By outsourcing card processing, an organisation can focus more on its core business activities without being burdened by the complexities and resources required for secure payment processing.
• Enhanced Security Measures:
  Reputable third-party processors implement robust security measures, including encryption and tokenization, to protect cardholder data, potentially offering a higher level of security than an organisation might achieve on its own.
  

Cons

• Dependency on Third Party:
  Reliance on a third-party service provider for critical payment processing functions can create dependencies, making the organisation vulnerable to the service provider's operational risks and security posture.
  • Mitigation
    • Check for adequate resilience coverage and test where possible
    • Ensure external Assurance / Audits are in place
    • Ensure SLAs are acceptable
    • Consider querying Cyber Insurance
    • Talk with reference clients
• Compliance Management
  While outsourcing can reduce PCI DSS scope, the organisation remains responsible for ensuring the third-party provider is compliant with PCI DSS requirements, which involves annual due diligence and management, although effort is marginal compared to the Compliance Management overhead of managing PCI DSS in its entirety.
• Integration and Compatibility Issues
  Integrating third-party processing services with existing systems can pose technical challenges and may require additional resources for seamless integration.
  • Mitigation
    • Ensure thorough testing takes place before production integration.
• Data Control and Visibility:
  Outsourcing may result in reduced control and visibility over cardholder data and payment processing, which can be a concern for data governance and security, although with the Evervault solution, as you retain encrypted versions of the data, you still maintain significant control over the use of the data.
• Potential for Data Breaches:
  While third-party processors may have robust security measures, they are also attractive targets for cybercriminals, and a breach at the provider's end can have significant implications for the organisation. This is typical for most traditional Vault-based offerings. With Evervault’s dual control model, the customer retains the encrypted data, not Evervault. Evervault manages only the keys. Separating the keys from the data provides a significant amount of additional security assurance.
  • Mitigation
    • Ask for external validation of security, PTs, Certs, pacific policies, right to audit and ability to SP in the relevant scope of pen tests.

Other Considerations

When considering outsourcing card processing to a third party, it is crucial for organizations to conduct thorough due diligence, assess the alignment of the service provider's capabilities with their specific needs, and ensure contractual agreements comprehensively address security, compliance, and service delivery expectations.

How to Attest Compliance

Compliance with PCI DSS can be achieved through two main pathways: Self-Assessment Questionnaires (SAQs) and Report on Compliance (ROC) by a Qualified Security Assessor (QSA).

Whether you can self-assess depends on the volume of transactions (cards you process) per year. Service Providers processing <300k p/a are Level 2 and can self-assess;> 300k p/a are Level 1 and must have a QSA validate their environment in a Report on Compliance (RoC).

For merchants, it's slightly different; there are four levels, and a QSA is only required to validate compliance in an RoC once >6m transactions p/a are processed. Otherwise, self-assessment using one of the many types of SAQ is acceptable to acquirers.

There are many different SAQs, depending on how card data is processed (web only, face-to-face, etc) and the volume of cards processed per year. A detailed description of the SAQs from the PCI Council is here.

Conclusion

Using services like Evervault can significantly descope the environment from many PCI DSS requirements, aligning it more closely with the simplified controls outlined in SAQ A (<30 Controls) for most use cases. Evervault's payment security services ensure that sensitive cardholder data is encrypted before it enters the business environment, effectively removing the data from the business's PCI DSS scope. This reduces the compliance burden and mitigates the breach risk associated with storing and processing cardholder data directly.

In summary, while PCI DSS compliance is essential for businesses handling cardholder data, its complexity and resource demands make scope reduction an attractive strategy. Utilizing solutions like Evervault can streamline compliance efforts, reduce costs, and enhance overall data security, allowing businesses to focus more on their core operations and less on the intricacies of PCI DSS compliance.