Re: CC numbers stored on planes

[David Freedman <freedman.j.d () gmail com>]

On Tue, Jan 24, 2012 at 10:37 AM, Robin Wood <robin () digininja org> wrote:

> On 24 January 2012 14:18, David Freedman <freedman.j.d () gmail com> wrote:
>
> > I love Robin's point about being concerned with the assessor's abilities
> > to explain why something is in scope and what is considered out of scope.
> >  We have recently gone through our yearly PCI compliance 2.0 and there was
> > a big debate over what was in scope due to the differences between last 4
> > of a PAN and full track data.
> One place I've found that isn't always automatically considered in scope
> is log servers. People turn on full logging and the CC data gets sent off
> to a separate machine then they forget to turn it off or to clear it down
> later. Also backup locations, the SQL server either generates a SQL dump or
> a binary backup of all the data and that is passed to a separate machine,
> that machine isn't in the normal flow of data so people forget about it.
>
> Robin

Agreed.  We already agreed that the log server and anywhere that data gets
backed up to is considered in scope.  Our issue was with a database that
only stores truncated PAN (last 4) and no other CC data.  If this is
considered in scope then anywhere that has stored  or the ability to view
truncated PAN is in scope (so the whole network).  Our last assessor did
not think it was in scope.

We have included this DB as an in scope system as per auditor request.

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com