Main Nav

We're preparing for a network penetration test for PCI compliance audit and we are stuck on a merry-go-round about the scope of "cardholder environment." 
 
We accept credit cards through our website and we have credit card readers in several locations that transmit data via Ethernet.  We do not store credit card data anywhere.  Is the scope of cardholder environment limited to the web servers, databases, and network appliances where credit card data will pass through or does it also include infrastructure that has nothing to do with processing credit card data but is considered part of the cardholder environment by virtue of it being on the same network?
 
 
 
Scott Ciliberti, Chief Information Officer
Enterprise Technology Services
536 Mission Street, Room P-49
San Francisco, CA 94105
v: 415.369.5365
 
I'm participating in the AIDS Lifecycle; a 7-day 545 mile cycling fundraising event between SF and LA.  http://www.tofighthiv.org/goto/sciliberti to make a donation.
AttachmentSize
unnamed_attachment.26.02 KB

Comments

Message from christb@sou.edu

We accept credit cards through our website and we have credit card readers in several locations that transmit data via Ethernet.  We do not store credit card data anywhere.  Is the scope of cardholder environment limited to the web servers, databases, and network appliances where credit card data will pass through or does it also include infrastructure that has nothing to do with processing credit card data but is considered part of the cardholder environment by virtue of it being on the same network?

It is common to segregate the machines that process credit card data on to their own "network."  It was sufficient for us to put them into their own VLAN(s) and firewall them from the rest of campus and the Internet.  This way, we avoided having to show compliance on every workstation, server, etc.

--
Brad Christ
Chief Information Officer
Southern Oregon University


********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Another common practice is to use encryption.  As you may be aware, the standard does promote/allow the use of strong encryption to transmit cardholder data across a public network.  In cases where you have card processing stations geographically distant from your web server infrastructure—you could purchase inexpensive firewall devices and place them in front of your card processing systems.  (Assumption you are protecting your web infrastructure as well…)  You can then use those devices to establish a VPN connection back to your web server/infrastructure.  Both firewalls (and everything behind them) are then in scope for PCI DSS Compliance, but the network in between is not.

 

Many of us are using payment gateways, such as Touchnet, which allow you to significantly reduce your scope, as the service provider handles credit card transactions, including authorization and settlement.  The CDE is effectively outsourced to a service provider, which allows you to fill out the ‘short version’ of the SAQ, rather than the more extensive (b-d).

 

Regards,

 

Tammy L. Clark, CISSP, CISM, CISA, HISP, CRISC, PMP

Chief Information Security Officer

Information Security Coordination

tlclark@gsu.edu

404-413-4509

 

We've spent a lot of time and money on PCI compliance, and scope of the cardholder environment has been a significant problem to work through.  The opinion from our QSA auditor we had was that the credit card readers are withing scope as they transmit PAN.   We also implemented a PCI-specific VLAN as previously described by Brad.  In particular, we had to pay attention to any upgrade processes for the card readers and how those credit card readers are touched by any upgrade  or security protections.

Theresa