Educause Security Discussion mailing list archives
Re: PCI DSS compliance challenges
From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 10 Jun 2009 14:35:26 -0400
Scott Weyandt wrote:
One of my colleagues is a PCI Auditor (QSA and PA-QSA certified). He continually states that you cannot over stress the importance of segregating systems that transfer or store card holder data from the rest of your network. If you do so, you greatly limit the scope of a PCI audit to that network segment and its systems. If you do not, your entire network is potentially in scope for a PCI audit.
Segmentation is certainly baked into the regulations. Even SAQ B and C levels prohibit the card handling devices from being connected to any other systems in the merchant environment. What I don't understand is how infrastructure needs are supposed to be handled. Is an organization that processes a relatively small number of cards supposed to put up redundant support infrastructure such as DNS, DHCP, AD, SMS, and AV servers? If they don't, do all the central infrastructure services come into scope? And if the central infrastructure services come into scope, does the rest of the network because of the intertwining with the infrastructure? -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- PCI DSS compliance challenges Basgen, Brian (Jun 10)
- <Possible follow-ups>
- Re: PCI DSS compliance challenges Gary Flynn (Jun 10)
- Re: PCI DSS compliance challenges Scott Weyandt (Jun 10)
- Re: PCI DSS compliance challenges Gary Flynn (Jun 10)
- Re: PCI DSS compliance challenges Brad Judy (Jun 10)
- Re: PCI DSS compliance challenges Greene, Chip (Jun 10)
- Re: PCI DSS compliance challenges Ellen Smout (Jun 10)
- Re: PCI DSS compliance challenges Basgen, Brian (Jun 10)
- Re: PCI DSS compliance challenges Gary Flynn (Jun 10)
- Re: PCI DSS compliance challenges Gary Flynn (Jun 10)
- Re: PCI DSS compliance challenges John Ladwig (Jun 10)
- Re: PCI DSS compliance challenges Ellen Smout (Jun 10)
- Re: PCI DSS compliance challenges Michael Johnson (Jun 10)
- Re: PCI DSS compliance challenges Ellen Smout (Jun 10)
(Thread continues...)