1. Explore opportunities for segmentation
The PCI DSS applies to all of your systems that handle credit card information. But most merchants may have many systems that never touch card data: building management systems, for example. If these other systems are properly walled-off (or “segmented”) from the payments-handling systems, they can be free from the PCI compliance regulations. For many merchants, segmentation can help limit the scope of PCI security measures and expenditures. A word of warning, though. Sometimes, it just makes sense for your payment processes and other systems to coexist – if you have a smaller business with a limited number of computers, for example. Careful case-by-case evaluation is the best way to determine whether segmentation makes sense for you.
2. Work with security partners
For large-scale merchants with complex systems, the cost of compliance can be high simply because of the scope of their operation. These medium-to-large businesses are often well-served by transferring some of the security responsibilities to a third-party firm. For example, a managed security solution from a security provider can help facilitate constant monitoring and rapid response to network intrusions for less than it would cost to achieve these same goals using highly-compensated internal resources. In the course of getting a Report on Compliance (or RoC) to demonstrate PCI compliance to an acquiring bank, many businesses will have already worked with a Qualified Security Assessor.
A Qualified Security Assessor is a third-party security organization like LBMC that has been vetted and certified as third-party auditors by the PCI Security Standards Council. What many businesses don’t know is that a QSA – which may already be familiar with your security operations and needs – is allowed to provide additional security services as well, such as penetration testing and managed security solutions. A third-party organization can’t take on 100% of your PCI responsibility. You still have to verify and be able to demonstrate compliance. But you can leverage their expertise to implement more cost-effective, customized solutions and reduce your burden.
3. Compensating controls
While larger organizations may have to deal with a larger system scope, smaller organizations face their own challenges. Often, small businesses have less money to use on security solutions. Accordingly, the PCI DSS includes a specification that allows “compensating controls” to be used in place of the standard rules (also known as “controls”). This specification allows you to look at what a given control is trying to accomplish. Is it protecting card data? Core systems?
The “compensating control” specification allows you to implement a different solution to achieve the same objective as the original control. Often, these compensating controls represent cheaper or less invasive alternatives. There is no universal rule or situation when compensating controls would apply – each situation is unique to each merchant and should be considered independently.
With that said, a QSA is in the best position to help an organization identify and document an appropriate compensating control when the organization realizes that there is a particular PCI control that it cannot meet. If you are struggling with implementing or maintaining certain PCI controls due to cost or limitations within your technical environment, staffing model, or business applications, consider working with a QSA to identify a more reasonable alternative.