Blog | comforte

3 Benefits of Taking Data Out of PCI Audit Scope

Written by Jonathan Deveaux | Oct 29, 2019

Whether your company accepts payments at a store or restaurant, sells products or services through a website, or handles monthly payment billing, you or someone at your company is most likely aware of the security requirements of the Payment Card Industry Data Security Standard (PCI DSS). Each calendar year, your organization needs to prove that it is in compliance with the 12 requirements listed under PCI DSS. Often, this process is time consuming, costly, and involves key people primarily focusing on assessing, verifying, and completing the compliance audit.

Reducing the scope of the audit (the array of items to be analyzed for security aptitude) can free your organization from much of the burden of a lengthy, time-consuming audit process. With a mix of planning and technology, your organization can reduce the scope of the audit and still demonstrate compliance with PCI DSS.

Here are 3 key benefits your business gains by taking data out-of-scope of PCI DSS:

1. Less risk of accidental exposure, smaller attack surface

  • When you reduce the number of locations where cardholder data resides, you have fewer applications and servers to include in the audit.
  • In most organizations, many departments retain or use cardholder data, including the Help-Desk, Finance & Accounting, Quality Assurance, DevOps, the corporate CRM, and of course production environments for real-time processing. Most of these departments do not need real cardholder data to complete their tasks.
  • Using data protection technology, such as tokenization, the actual cardholder data given by customers is replaced with surrogate data when it is used by business applications and stored in databases or files.
  • Replacing actual cardholder data in as many places as possible not only helps reduce the scope of the audit, but it helps reduce your cyber-attack surface, should a data incident occur. Surrogate data that is exposed or stolen does not affect the original cardholder and is useless to a bad actor should they try to exploit it.

2. Reducing scope reduces cost

  • Businesses spend an average of $225,000 annually for PCI compliance.
  • Smaller businesses that process less cardholder data can spend significantly less, however large enterprises could easily pay over $500,000 annually.
  • For the audit alone, the cost breakdown includes:
    • Hiring Qualified Security Assessors (QSAs)
    • Full-time employees allocated to provide content for audits (may include time spent away from daily tasks and responsibilities)
  • The more systems and applications with cardholder data you have, the longer it may take to complete an audit. Therefore, reducing the number of systems and locations where cardholder data resides can help save costs.

Here’s a quick breakdown of where costs are saved during a PCI audit:

3. Enable new projects without additional PCI audit burden

Where else in your company have you wanted to use cardholder data but were fearful due to security concerns?

Artificial Intelligence (AI) and Machine Learning (ML) are two areas where large amounts of data are required to produce results. Both areas pose a big security risk to organizations when actual cardholder data is used. Imagine sending millions of cardholder data to a data-lake or analytics engine, only to have the data exposed or stolen!Using surrogate data instead of real cardholder data helps reduce the threat of a data incident, while still allowing AI and ML to produce business decision-making results.

Do you have innovative projects or customer service directives which can benefit from cardholder details? Data can be your superpower provided you protect it!