What’s in Scope? Credit Card Transactions and PCI

PCI Scope Assessment

All organizations that accept credit cards  -- even those who are only charging a few dollars per transaction or those for whom credit card transactions cover just a small percentage of annual revenue -- are responsible for following the guidelines set forth in the Payment Card Industry Digital Security Standard (PCI DSS).

Although PCI DSS is written as a technology standard, the implications of PCI are far reaching, and the environment is quite messy. Ideally, Finance and IT work together as partners to support PCI and keep a close eye on all of the components involved in the cardholder data environment. But getting to this point can be a challenge and time consuming.

In a typical small college, for instance, the sheer number of players can be tremendous. Several areas within a typical higher education institution usually accept credit cards: dining services for food, bookstores for merchandise and textbooks, admissions for application fees, the business office for tuition, the box office, and many more. Frequently, we see several vendors working with a single organization, each with their own set of PCI requirements.

Ignoring the problem isn’t an option. The payment brands (American Express, Visa, MasterCard, Discover) can fine an organization’s bank anywhere from $5,000 to $100,00 per month for continuing to use systems that are out of compliance with the PCI DSS standards. When this happens, the bank will not only pass along the fine to the organization, but they can also suspend accounts, shutting off an organization’s ability to process credit card payments, until compliance issues have been addressed. Getting systems into compliance and paying a qualified security assessor to sign off on the remediations can be costly and time-consuming.

A recommended practice is for organizations is to review their PCI scope on an annual basis. The PCI DSS itself suggests this practice, explaining in the standard:

“The first step of a PCI DSS assessment is to accurately determine the scope of the review. At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data, and identify all systems that are connected to or, if compromised, could impact the CDE (for example, authentication servers) to ensure they are included in the PCI DSS scope. All types of systems and locations should be considered as part of the scoping process, including backup/recovery sites and failover systems.”

PCI DSS (version 3.2, April 2016), pg. 10: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf

At FireOak Strategies, we can help jump-start this process. Through a PCI Scope Assessment, we work with partners from IT and Finance to review and define your organization’s cardholder data environment (CDE), locate and identify all of the systems which are being used to process credit card transactions, and conduct a technical evaluation of your network’s segmentation in order to determine how well these systems are isolated from the rest of your internal network. We’ll map out all of the players involved at your organization -- which third-party systems are in play, who are the processors, who are the payment gateways -- and help decipher which systems, kiosks, terminals, and computers are in (or out) of scope.

Our recommendations are clear, practical, and action-oriented -- the next steps your organization should take to enhance the security of credit card processing and help prepare the organization in the unfortunate event of a future data breach.

The credit card processing environment is messy. Call FireOak today so we can help your organization get organized, better prepared, and understand the full picture around PCI obligations based on your unique environment.