Security Basics mailing list archives
RE: PCI Gurus?
From: "Simon Thornton" <simon () thornton info>
Date: Mon, 17 Jan 2011 14:29:03 +0100
Hi, Bear in mind that to get a definitive answer to what is in/out of scope you should engage with a QSA, who is certified to answer these questions. What follows is from my own experience of PCI. Deciding what is in/out of scope is normally part of the PCI audit process. To answer the questions correctly you would need to have detailed info about the networks/systems. In a general sense what you should do is: - create Card Data permeation map, this details where/how and with whom Card holder details (CHD)are stored, processed or transmitted (this includes 3rd parties). - Identify any internal systems or databases which carry CHD. - do a gap analysis, take the PCI DSS standard and for each requirement mark it yes/no/partial, this will let you identify how much work you need to do. - Any systems/networks which store, process or transmit CHD are in scope - Segregating the affected systems is not just a matter of creating a VLAN or subnet, you also need strong access controls, AV and policy/procedures around who has access to CHD. The initial impression I have is that unless you process large volumes of cards and refund money regularly then I would outsource the card processing to a PCI certified Payment Service Provider (PSP). This applies to web based payments and cards payments taken over the phone. The only systems still in scope will be the machines that connect to the PSP and any payment terminals or POS machines. These can then be easily segregated; the controls around access to the terminals still apply. If the only payments are from a webshop then the internal systems are out of scope PROVIDED that they do not store/process/transmit CHD. I grouped your observations and questions into one section for ease: --- Q1: Company A does not take credit cards and is not required to be PCI compliant however they do provide a service which requires their network appliance to be installed on Company B's network. Q4: Company A would like to avoid being "In Scope" and having to charge the client for consulting fees. A1/4: If company A does not store, process or transmit CHD then it is out of scope of Company B's compliance programme. Otherwise, it is in scope. --- Q2 In recent days Company A has come to the conclusion that in some of Company B's newly acquired satellite offices, credit card data is being forwarded across the LAN in a variety of ways (some of which do not look to be secure/encrypted). A2: Company B is required to comply with PCI DSS. --- Q3) In addition, several of these satellite offices are running consumer grade routers (ie: Linksys, Netgear) providing little in the way of segmentation. A3: Irrespective of the network design or equipment, if those devices or the networks they are connected to are used to transmit CHD then they are in scope. --- Q5) For the smaller satellite offices what might be a simple fix? A5: Do not process CHD, outsource the payment process and eliminate all CHD records (you can keep the first 3 and last 4 digits for accounting/refunds, if the rest are obscured/deleted then it is not classified as CHD and therefore does not need to comply). --- Q6) Does segregation provide an easy way to kick devices out of scope for PCI audits? A6: No, it's oly part of the requirements; moving the systems onto another LAN segment is NOT enough, all the other requirements still apply. --- Q7) Would it be recommended/possible to have a firm produce a report which could be handed to an auditor and prove "Out of Scope" prior to being dragged into one of these audits? A7: If you complete an SAQ (self assessment questionnaire) this can be handed to a QSA as atarting point. However the QSA is required to reach an independent opinion on the compliance and only they can decide what is in/out of scope. --- Q8: Could the network appliance be designed/situated in such a way as to be "out of scope" or at least easily verifiable as compliant even if it was sitting on the same logical subnet where the card data traffic was moving across? A8: If the device does not store, process or transmit CHD then it is of scope of the audit. However, if it is on the same logical segment as devices which do process CHD then it is in scope of the audit and the controls apply. ---- What a lot of small companies do is a gap analysis, after which they decide that the cost of processing cards is not worth the cost of the initial (first year) and ongoing (following) compliance work. Of course it depends on how you take and process cards as to whether outsourcing to a PSP is practical or not. Best advice; engage a QSA, even if it is only to do a gap analysis and/or data permeation map. The cost of getting it wrong can be far higher than getting it right first time. Simon ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- PCI Gurus? shankl (Jan 14)
- Re: PCI Gurus? Venkatesh Selvaraju (Jan 18)
- RE: PCI Gurus? Simon Thornton (Jan 18)
- RE: PCI Gurus? Matthew Reed (Jan 18)
- PCI Gurus? daniel svartman (Jan 18)
- Re: PCI Gurus? Joseph Saselli (Jan 18)
- Re: PCI Gurus? John Morrison (Jan 21)
- RE: PCI Gurus? Jon Spiers (Jan 18)
- Re: PCI Gurus? Joseph Saselli (Jan 18)
- <Possible follow-ups>
- Re: Re: PCI Gurus? krymson (Jan 18)