PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Limiting Scope of PCI review

From: Josh More <jmore () starmind org>
Date: Thu, 14 Feb 2013 10:57:21 -0600
Yes, your entire network will be in scope if you don't do things to isolate it.

I like to use UTMs to do that, but bear in mind that, even if you do
that, your daily, weekly, monthly and yearly requirements will apply
to your workstations and to your UTMs.  It just won't extend to the
rest of the network if you isolate those workstations properly.

-Josh

On Thu, Feb 14, 2013 at 10:50 AM, Kevin <pdcmaillist () kckk net> wrote:

Hi all -
I know this isn't a PCI focused list, but I'm hoping it's PCI tolerant and
someone can point me in the right direction.

We are preparing to *begin* taking credit card payments from our customers,
and since we've never dealt with them before, I'm kinda new to the whole
PCI-DSS thing.

After reading through all the 'stuff' on the pci site, it seems to me like
it would make sense to limit the number of desktops,  servers, routers, etc
that are "in scope".   The PCI QSA vendors don't seem to want to help me
limit the scope - it's almost as if they make more $$ from having my entire
network in scope...  From reading the different SAQ's, it seems like we're
already doing all the stuff they are asking for, I just want to limit our
risk.

Currently my (4) cashier workstations are spread across my 2 client
networks, and have full access to typical client facing network resources
(exchange, sharepoint, various other non-customer service related web apps,
etc) The CC payment processor we are going to use has recommended installing
a USB swipe reader hooked to some sort of virtual terminal (active x based)
on each of the 4 PC's, and frankly that gives me the heebe-geebes.

Our finance director is pushing to go live sooner than later.

What types of techniques can be used to limit the scope?  Am I overly
worried about this?  If I go live now and reduce scope later, would my
entire network be in scope for this first year?

Thanks in advance for any pointers you can offer.
Kevin



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: