CloudWinter 2019 3 Benefits of Taking Data Out of PCI Audit Scope by Thomas Gloerfeld December 10, 2019 written by Thomas Gloerfeld December 10, 2019 [vc_row][vc_column][vc_empty_space][vc_column_text] Whether your company accepts payments at a store or restaurant, sells products or services through a website, or handles monthly payment billing, you or someone at your company is most likely aware of the security requirements of the Payment Card Industry Data Security Standard (PCI DSS). Each calendar year, your organization needs to prove that it complies with the 12 requirements listed under PCI DSS. Often, this process is time consuming, costly, and involves key people primarily focusing on assessing, verifying, and completing the compliance audit. Reducing the scope of the audit (the array of items to be analyzed for security aptitude) can free your organization from much of the burden of a lengthy, time-consuming audit process. With a mix of planning and technology, your organization can reduce the scope of the audit and still demonstrate compliance with PCI DSS. Here are 3 key benefits your business gains by taking data out-of-scope of PCI DSS: 1. Less risk of accidental exposure; smaller attack surface When you reduce the number of locations where cardholder data resides, you have fewer applications and servers to include in the audit. In most organizations, many departments retain or use cardholder data, including the Help-Desk, Finance & Accounting, Quality Assurance, DevOps, corporate CRM, and of course production environments for real-time processing. Most of these departments do not need real cardholder data to complete their tasks. Using data protection technology such as tokenization, the actual cardholder data given by customers is replaced with surrogate data when it is used by business applications and stored in databases or files. Replacing actual cardholder data in as many places as possible not only helps reduce the scope of the audit but also helps reduce your cyber-attack surface, should a data incident occur. Surrogate data that is exposed or stolen does not affect the original cardholder and is useless to a bad actor should they try to exploit it. 2. Reducing scope reduces cost Businesses spend an average of $225,000 annually for PCI compliance. Smaller businesses that process less cardholder data can spend significantly less; however, large enterprises could easily pay over $500,000 annually. For the audit alone, the cost breakdown includes: Hiring Qualified Security Assessors (QSAs) Full-time employees allocated to provide content for audits (may include time spent away from daily tasks and responsibilities) The more systems and applications with cardholder data you have, the longer it may take to complete an audit. Therefore, reducing the number of systems and locations where cardholder data resides can help save costs. Here’s a quick breakdown of where costs could be saved during a PCI audit: 3. Enable new projects without additional PCI audit burden Where else in your company have you wanted to use cardholder data but were fearful due to security concerns? Artificial Intelligence (AI) and Machine Learning (ML) are two areas where large amounts of data are required to produce results. Both areas pose a significant security risk to organizations when actual cardholder data is used. Imagine sending millions of cardholder data to a data-lake or analytics engine, only to have the data exposed or stolen! Using surrogate data instead of real cardholder data helps reduce the threat of a data incident, while still allowing AI and ML to produce business decision-making results. Do you have innovative projects or customer service directives, which can benefit from cardholder details? Data can be your superpower provided you protect it! Now that you know why you should take data out-of-scope, find out how it is done: We have created a Quick Reference Guide that summarizes 3 ways to reduce your PCI audit scope. Grab a complimentary copy at the link below. Get the Quick Reference Guide [printfriendly] [/vc_column_text][vc_empty_space][vc_column_text] [/vc_column_text][vc_empty_space][/vc_column][/vc_row] ConnectConvergeWinter2019 0 comment 0 FacebookTwitterPinterestEmail Thomas Gloerfeld Thomas Gloerfeld is Director Partner Development & Marketing NonStop Solutions at comforte and has been associated with the NonStop community for over 25 years. Before joining comforte, he held various management positions at ACI Worldwide in Germany and the UK. In his role at comforte he manages all aspects of marketing for HPE NonStop solutions and comforte's NonStop partners. As part of his role, he closely monitors topics such as data security, risk and compliance, as well as digital transformation and connectivity. previous post Why data sovereignty matters when choosing a cloud strategy next post How Containers are Becoming The New Basic Currency For Pay as You Go Hybrid IT You may also like Infrastructure-as-code on HPE GreenLake using Terraform March 27, 2022 HPE GreenLake edge-to-cloud platform brings the cloud to... December 6, 2021 The Year in Review Around the Storage Block December 6, 2021 Positioning your service provider business for the as-a-service... September 21, 2021 Take a Data Privacy Road Trip March 23, 2021 Digital Transformation For Public Sector Agencies Starts With... March 23, 2021 5 ways to power your business with HPE... March 23, 2021 Mass Move to the Cloud – 3 Essential... December 9, 2020 Reinventing the future of work for SMBs December 8, 2020 HPE GreenLake for VDI: A pay-as-you-go platform to... December 8, 2020