Re: PCI DSS compliance challenges

[Gary Flynn <flynngn () JMU EDU>]

Scott Weyandt wrote:
> One of my colleagues is a PCI Auditor (QSA and PA-QSA certified).  He
> continually states that you cannot over stress the importance of segregating
> systems that transfer or store card holder data from the rest of your
> network.  If you do so, you greatly limit the scope of a PCI audit to that
> network segment and its systems.  If you do not, your entire network is
> potentially in scope for a PCI audit.


Segmentation is certainly baked into the regulations. Even SAQ
B and C levels prohibit the card handling devices from being
connected to any other systems in the merchant environment.

What I don't understand is how infrastructure needs are supposed
to be handled. Is an organization that processes a relatively
small number of cards supposed to put up redundant support
infrastructure such as DNS, DHCP, AD, SMS, and AV servers?
If they don't, do all the central infrastructure services
come into scope? And if the central infrastructure services
come into scope, does the rest of the network because of the
intertwining with the infrastructure?

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature