PaulDotCom mailing list archives
Re: Limiting Scope of PCI review
From: John Mason <john.mason.jr () gmail com>
Date: Thu, 14 Feb 2013 12:23:18 -0500
The Open PCI Scoping Framework might help http://itrevolution.com/pci-scoping-toolkit/ They do ask for an email address to send download instructions On Thu, Feb 14, 2013 at 11:57 AM, Josh More <jmore () starmind org> wrote:
Yes, your entire network will be in scope if you don't do things to isolate it. I like to use UTMs to do that, but bear in mind that, even if you do that, your daily, weekly, monthly and yearly requirements will apply to your workstations and to your UTMs. It just won't extend to the rest of the network if you isolate those workstations properly. -Josh On Thu, Feb 14, 2013 at 10:50 AM, Kevin <pdcmaillist () kckk net> wrote:Hi all - I know this isn't a PCI focused list, but I'm hoping it's PCI tolerantandsomeone can point me in the right direction. We are preparing to *begin* taking credit card payments from ourcustomers,and since we've never dealt with them before, I'm kinda new to the whole PCI-DSS thing. After reading through all the 'stuff' on the pci site, it seems to melikeit would make sense to limit the number of desktops, servers, routers,etcthat are "in scope". The PCI QSA vendors don't seem to want to help me limit the scope - it's almost as if they make more $$ from having myentirenetwork in scope... From reading the different SAQ's, it seems likewe'realready doing all the stuff they are asking for, I just want to limit our risk. Currently my (4) cashier workstations are spread across my 2 client networks, and have full access to typical client facing network resources (exchange, sharepoint, various other non-customer service related webapps,etc) The CC payment processor we are going to use has recommendedinstallinga USB swipe reader hooked to some sort of virtual terminal (active xbased)on each of the 4 PC's, and frankly that gives me the heebe-geebes. Our finance director is pushing to go live sooner than later. What types of techniques can be used to limit the scope? Am I overly worried about this? If I go live now and reduce scope later, would my entire network be in scope for this first year? Thanks in advance for any pointers you can offer. Kevin _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Limiting Scope of PCI review Kevin (Feb 14)
- Re: Limiting Scope of PCI review Josh More (Feb 14)
- Re: Limiting Scope of PCI review John Mason (Feb 14)
- Re: Limiting Scope of PCI review Craig Freyman (Feb 14)
- Re: Limiting Scope of PCI review allison nixon (Feb 15)
- Re: Limiting Scope of PCI review Ron Gula (Feb 15)
- Re: Limiting Scope of PCI review wynn (Feb 17)
- Re: Limiting Scope of PCI review Chris Tizzano (Feb 15)
- Re: Limiting Scope of PCI review Josh More (Feb 14)