Re: Limiting Scope of PCI review

[allison nixon <elsakoo () gmail com>]

In short, make your sensitive machines grant the same level of trust to the
corporate network as it does with the rest of the Internet.  As much as you
can.

On Thu, Feb 14, 2013 at 4:00 PM, Craig Freyman <craigfreyman () gmail com>wrote:

> I am not a QSA so take this FWIW. However, I pentest these environments
> all the time so I'll tell you what I've observed.
>
> Shrink and consolidate that CDE as much as you can. To do so, make sure
> you use segmentation and firewalls. When data starts to "spread across
> networks" it gets a little hairy. You mentioned your cashiers have access
> to all that other corporate "stuff" which will probably put all that in
> scope as well.
>
> In an ideal world, get all your CDE boxes in one subnet, give them zero
> access to anything else, if possible and only allow inbound access to the
> CDE with 2 factor. It all depends on your QSA though, this isn't an exact
> science. Don't be afraid to argue with them :) Ultimately it is the QSA
> that makes the call but you're allowed to disagree...
>
>
> On Thu, Feb 14, 2013 at 9:57 AM, Josh More <jmore () starmind org> wrote:
>
> > Yes, your entire network will be in scope if you don't do things to
> > isolate it.
> >
> > I like to use UTMs to do that, but bear in mind that, even if you do
> > that, your daily, weekly, monthly and yearly requirements will apply
> > to your workstations and to your UTMs.  It just won't extend to the
> > rest of the network if you isolate those workstations properly.
> >
> > -Josh
> >
> > On Thu, Feb 14, 2013 at 10:50 AM, Kevin <pdcmaillist () kckk net> wrote:
> > > Hi all -
> > > I know this isn't a PCI focused list, but I'm hoping it's PCI tolerant
> > and
> > > someone can point me in the right direction.
> > >
> > > We are preparing to *begin* taking credit card payments from our
> > customers,
> > > and since we've never dealt with them before, I'm kinda new to the whole
> > > PCI-DSS thing.
> > >
> > > After reading through all the 'stuff' on the pci site, it seems to me
> > like
> > > it would make sense to limit the number of desktops,  servers, routers,
> > etc
> > > that are "in scope".   The PCI QSA vendors don't seem to want to help me
> > > limit the scope - it's almost as if they make more $$ from having my
> > entire
> > > network in scope...  From reading the different SAQ's, it seems like
> > we're
> > > already doing all the stuff they are asking for, I just want to limit
> > our
> > > risk.
> > >
> > > Currently my (4) cashier workstations are spread across my 2 client
> > > networks, and have full access to typical client facing network
> > resources
> > > (exchange, sharepoint, various other non-customer service related web
> > apps,
> > > etc) The CC payment processor we are going to use has recommended
> > installing
> > > a USB swipe reader hooked to some sort of virtual terminal (active x
> > based)
> > > on each of the 4 PC's, and frankly that gives me the heebe-geebes.
> > >
> > > Our finance director is pushing to go live sooner than later.
> > >
> > > What types of techniques can be used to limit the scope?  Am I overly
> > > worried about this?  If I go live now and reduce scope later, would my
> > > entire network be in scope for this first year?
> > >
> > > Thanks in advance for any pointers you can offer.
> > > Kevin
> > >
> > >
> > >
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com



-- 
_________________________________
Note to self: Pillage BEFORE burning.

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com