RE: PCI Gurus?

["Simon Thornton" <simon () thornton info>]

Hi, 

Bear in mind that to get a definitive answer to what is in/out of scope you
should engage with a QSA, who is certified to answer these questions. What
follows is from my own experience of PCI.


Deciding what is in/out of scope is normally part of the PCI audit process.
To answer the questions correctly you would need to have detailed info about
the networks/systems. In a general sense what you should do is:

- create Card Data permeation map, this details where/how and with whom Card
holder details (CHD)are stored, processed or transmitted (this includes 3rd
parties).

- Identify any internal systems or databases which carry CHD. 

- do a gap analysis, take the PCI DSS standard and for each requirement mark
it yes/no/partial, this will let you identify how much work you need to do.

- Any systems/networks which store, process or transmit CHD are in scope 

- Segregating the affected systems is not just a matter of creating a VLAN
or subnet, you also need strong access controls, AV and policy/procedures
around who has access to CHD.


The initial impression I have is that unless you process large volumes of
cards and refund money regularly then I would outsource the card processing
to a PCI certified Payment Service Provider (PSP). This applies to web based
payments and cards payments taken over the phone. The only systems still in
scope will be the machines that connect to the PSP and any payment terminals
or POS machines. These can then be easily segregated; the controls around
access to the terminals still apply. If the only payments are from a webshop
then the internal systems are out of scope PROVIDED that they do not
store/process/transmit CHD.

I grouped your observations and questions into one section for ease: 

--- 
Q1: Company A does not take credit cards and is not required to be PCI
compliant however they do provide a service which requires their network
appliance to be installed on Company B's network.

Q4: Company A would like to avoid being "In Scope" and having to charge the
client for consulting fees. 

A1/4: If company A does not store, process or transmit CHD then it is out of
scope of Company B's compliance programme. Otherwise, it is in scope.


--- 
Q2 In recent days Company A has come to the conclusion that in some of
Company B's newly acquired satellite offices, credit card data is being
forwarded across the LAN in a variety of ways (some of which do not look to
be secure/encrypted).

A2:  Company B is required to comply with PCI DSS. 


--- 
Q3) In addition, several of these satellite offices are running consumer
grade routers (ie: Linksys, Netgear) providing little in the way of
segmentation. 

A3: Irrespective of the network design or equipment, if those devices or the
networks they are connected to are used to transmit CHD then they are in
scope.


--- 
Q5) For the smaller satellite offices what might be a simple fix? 

A5: Do not process CHD, outsource the payment process and eliminate all CHD
records (you can keep the first 3 and last 4 digits for accounting/refunds,
if the rest are obscured/deleted then it is not classified as CHD and
therefore does not need to comply).


--- 
Q6) Does segregation provide an easy way to kick devices out of scope for
PCI audits? 

A6: No, it's oly part of the requirements; moving the systems onto another
LAN segment is NOT enough, all the other requirements still apply.


--- 
Q7) Would it be recommended/possible to have a firm produce a report which
could be handed to an auditor and prove "Out of Scope" prior to being
dragged into one of these audits? 

A7: If you complete an SAQ (self assessment questionnaire) this can be
handed to a QSA as atarting point. However the QSA is required to reach an
independent opinion on the compliance and only they can decide what is
in/out of scope.

--- 
Q8: Could the network appliance be designed/situated in such a way as to be
"out of scope" or at least easily verifiable as compliant even if it was
sitting on the same logical subnet where the card data traffic was moving
across?

A8: If the device does not store, process or transmit CHD then it is of
scope of the audit. However, if it is on the same logical segment as devices
which do process CHD then it is in scope of the audit and the controls
apply.

---- 


What a lot of small companies do is a gap analysis, after which they decide
that the cost of processing cards is not worth the cost of the initial
(first year) and ongoing (following) compliance work. Of course it depends
on how you take and process cards as to whether outsourcing to a PSP is
practical or not.


Best advice; engage a QSA, even if it is only to do a gap analysis and/or
data permeation map. The cost of getting it wrong can be far higher than
getting it right first time.


Simon 



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------