If your business processes card payment transactions you need to be PCI-DSS compliant.  This episode provides an introduction to PCI-DSS and along the way explains many key cyber security concepts that apply to all businesses.

This podcast episode discusses PCI DSS, a global information security standard for organisations that handle branded credit cards from the major card schemes. The episode focuses on two key areas: scoping and segmentation.

Scoping is the process of identifying all the systems, people, and processes that need to be included in a PCI DSS assessment. This is crucial because it determines which parts of an organisation’s infrastructure are subject to the PCI DSS requirements. Accurately determining scope helps organisations focus their security efforts and resources where they are most needed. The episode provides a detailed breakdown of the scoping process, including:

• Identifying all payment channels and how cardholder data is received.
• Documenting the flow of cardholder data and the systems involved.
• Identifying any systems, processes, and personnel that can interact with or impact the cardholder data environment.

The episode emphasises the importance of considering all connected systems and the potential risks if these systems are overlooked during scoping.

Segmentation is a security strategy that involves isolating the cardholder data environment (CDE) from other parts of the network. Effective segmentation can significantly reduce the scope of a PCI DSS assessment, making compliance easier to achieve and manage. The episode discusses different segmentation approaches and their impact on PCI DSS scope, particularly in the context of shared services like directory services. It stresses that segmentation should be part of a holistic security strategy and not a replacement for securing the entire infrastructure.

The episode concludes by highlighting that effective scoping and segmentation can significantly reduce the risk of data breaches and streamline PCI DSS compliance efforts. It encourages business leaders to engage with their security teams to ensure a thorough understanding of these concepts and their impact on the organisation's overall security posture.

Business Leaders Cyber Briefing is produced by Cool Waters Cyber, a UK based cyber security firm who have been protecting businesses across 3 continents since 1999.  We are an NCSC Assured Service Provider and Cyber Advisor. To learn more: www.cool-waters.co.uk

Need help with Cyber Security?

Speak to Cool Waters Cyber - NCSC assured Cyber Advisors and Cyber Essentials experts - www.cool-waters.co.uk