Re: Limiting Scope of PCI review

[Chris Tizzano <CTizzano () bn com>]

Hey Kevin,

In a nutshell, use network segmentation for any machines handling cc data.  Those cashiers really should not touch the 
rest of the corporate environment.  If at all possible, don't store any cc data, at all.  If you have to store it, look 
into tokenization rather than storing partial/entire card info.  Different QSAs will have different takes on things - 
some are good, some are bad.  Don't hesitate to get second and third opinions.

I hope this helps and good luck.

-Chris


From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Kevin
Sent: Thursday, February 14, 2013 11:50 AM
To: pauldotcom () mail pauldotcom com
Subject: [Pauldotcom] Limiting Scope of PCI review

Hi all -
I know this isn't a PCI focused list, but I'm hoping it's PCI tolerant and someone can point me in the right direction.

We are preparing to *begin* taking credit card payments from our customers, and since we've never dealt with them 
before, I'm kinda new to the whole PCI-DSS thing.

After reading through all the 'stuff' on the pci site, it seems to me like it would make sense to limit the number of 
desktops,  servers, routers, etc that are "in scope".   The PCI QSA vendors don't seem to want to help me limit the 
scope - it's almost as if they make more $$ from having my entire network in scope...  From reading the different 
SAQ's, it seems like we're already doing all the stuff they are asking for, I just want to limit our risk.

Currently my (4) cashier workstations are spread across my 2 client networks, and have full access to typical client 
facing network resources (exchange, sharepoint, various other non-customer service related web apps, etc) The CC 
payment processor we are going to use has recommended installing a USB swipe reader hooked to some sort of virtual 
terminal (active x based) on each of the 4 PC's, and frankly that gives me the heebe-geebes.

Our finance director is pushing to go live sooner than later.

What types of techniques can be used to limit the scope?  Am I overly worried about this?  If I go live now and reduce 
scope later, would my entire network be in scope for this first year?

Thanks in advance for any pointers you can offer.
Kevin



-------------------------------------------------------------------------
This electronic mail message contains information that (a) is or may be CONFIDENTIAL,
PROPRIETARY IN NATURE, OR OTHERWISE PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended
only for the use of the addressee(s) named herein.  If you are not an intended recipient,
please send an email immediately to postmaster () bn com  and take the steps necessary to delete
the message completely from your computer system.

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com