ARM Firms Can Reduce Exposure with PCI DSS Scope Reduction

November 19, 2019
By Emory Vandiver

It’s no longer news that protecting personal and financial information is paramount to the well-being of any individual or organization – and this is especially relevant within the ARM industry where sensitive information (ie financial, healthcare) lives in abundance. With new threats of ransomware and data breaches emerging every day, the critical task of maintaining good data security posture has become extremely complex. It has become important to reduce the PCI DSS scope.

A prominent example of this heightened complexity for ARM companies has come in the form of various compliance standards, notably Payment Card Industry (PCI) regulations, referred to as the Data Security Standard (DSS). PCI compliance requires that a very specific set of protective data security measures are implemented, maintained and audited/certified as such, while the scope of potential exposure expands.

PCI DSS Scope Defined

The PCI DSS serves as a set of guidelines and standards for organizations that handle or accept payment card information, such as credit, debit, and cash cards. Ultimately the purpose lies in protecting cardholders from fraud and theft. There are six major objectives:

 Establish a secure network for information use and storage
 Protect cardholder personal and financial information, generally via encryption
 Use anti-spyware, malware, and ransomware programs
 Control digital and physical access to the system, particularly areas of data storage
 Monitor and test systems regularly
 Create and follow appropriate information security policy and procedure

As critical as data security is to any business, the cost of protecting it is of course an important factor. However, regarding PCI compliance, there’s a significant opportunity to reduce expense of the audit and certification process. This challenge lies in reducing the scope of payment card information exposure – the smaller the scope, the fewer protections your business will need to provide.
With the help an expert, an organization’s PCI DSS scope can be lessened resulting in decreased costs and reduced risk.

Five Strategies for Reducing PCI DSS Scope

1. Do Not Store Personal Account Numbers

One straightforward way to reduce scope lies in never storing personal account numbers, known better in the industry as PAN.
For some traditional businesses, this will pose no problem. Retailers such as stores and gas stations have no need to store PAN and can delete the entry as soon as the transaction finishes, or after a fixed period.

Other businesses such as ARM firms store PAN and other information as a courtesy to their customers. Additionally, since ARM agents and online systems have frequent access to PAN as a means of doing business, there’s a significant risk.
However, for many industries, and especially for ARMs, avoiding PCI compliance has become impossible or at least not good business. This is because their customers are now requiring them to do so, as means of ensuring that their own security is maintained, as sensitive data is shared.

2. Audit Systems to Reduce or Eliminate Unnecessary PAN

ARMs with extensive systems and multiple locations especially need to conduct regular system audits. PAN tends to “migrate” into areas where it should not be. Every time a piece of personal or financial data ends up in another part of the system, it expands the PCI DSS scope.

Implementing proper data discipline and maintaining regular evaluations requires expertise and is crucial to keeping PAN corralled in limited and designated areas.

3. Engage a PCI Compliance Strategy Expert

A key to reducing exposure lies in working with a PCI expert with a superior track record of designing, assessing and auditing PCI relevant networks. Smaller organizations will especially benefit from such an engagement as they typically are operating with smaller budgets and less sophisticated resources.

4. Network Segmentation to Reduce System Exposure

Another effective way to reduce scope lies in establishing network segmentation, which provides for data storage devices and applications to be cut off from the main system part or all of the time. When you disconnect data from systems that allow outside access and put it in a silo, risk of breaches and unwanted migration is lessened.

Even this is not foolproof. The National Security Agency completely segmented off malware that was created in-house, but nonetheless an insider was still able to walk out with a whole cache of information and spread it online. Limiting personnel access is just as important as segmenting the system itself.

5. Cyber Liability/Data Breach Insurance

Any comprehensive plan involves carrying a safety net in case something does go wrong. There are numerous affordable cyber liability insurance options on the market, including coverage for business interruption and consumer notification expenses. It is important when filling out applications to include as many security and procedural details to help in the underwriting process. As underwriters evaluate the risk, operational details can help them provide a more accurate and informed quote option.

Conclusion: Cost of PCI Compliance for ARMs can be Reduced

Whether an ARM company is considering PCI compliance for the first time or has gone through the audit process several times, there’s a significant opportunity to reduce its cost. Working with an expert such as Interactive Security to guide you through it is pragmatic and logical. ARMs are in a hyper-competitive industry and the data security requirements of their customers have become stringent. Gain the competitive edge that compliance can bring at a reduced rate! Interactive Security can help you get started today.

Author

Emory Vandiver

VP Business Operations/Partner
| Interactive Security
Emory Vandiver is the Vice President of Business Operations and a Partner at Interactive Security, where he is responsible for executing the company’s strategy as a premier IT Security and Compliance provider. For over 20 years Emory has worked with leading enterprises across a diverse cross section of the information technology industry.  He has led teams responsible for sourcing and negotiating several multi-million dollar managed IT services and professional services contracts with various global companies. Emory’s professional passion lies in understanding client business goals, challenging the status quo and leveraging technology-based solutions to maximize client performance. He strives to bring unique insight and value to his clients’ businesses, along with a superior customer experience.