Note, I am not a QSA, but when in doubt, read the PCI-DSS. There's a nice writeup, starting page 10 of the PCI-DSS, that explains the scope.
The PCI-DSS document specifies very explicitly what makes one in scope vs out of scope, not only at a system level, but at a network level. If no payment card data touches your systems or network, you are not PCI impacted. If a system is PCI impacted, all systems not separated by a PCI compliant (requirement 1) firewall from that system are also deemed PCI impacted. Payment card data includes (from memory) * Full account number * Hash of account number * Encrypted text of account number * Mag stripe 1 * Mag stripe 2 * CVV2 (the number on the back) Touching your system includes going into RAM, going in or out a NIC, an I/O card, a disk,... When in doubt, ask questions. If you think you aren't subject to the survey, you are perfectly right to question it. Talk to your payment processor and ask them what is going on. Handling PCI headaches for you is a big part of what you pay them for. On 2014 Sep 15, at 05:20 , Roy McMorran <[email protected]> wrote: > Hello all, > > I recall seeing some discussions of PCI issues on the list and I'm hoping > someone might have some clues for me. I work at a small non-profit. We use > a payment processor (Authorize.net) in conjunction with Wufoo forms to accept > payments online for various types of transactions. No payment card data ever > touches our systems. > > Now recently we received an online questionnaire from "ControlScan". Our > bank tells us it is legitimate (I was suspicious, as every third page tries > to sell us something, but anyway...). Within the first few questions we were > able to assert that we never touch payment card data. Nevertheless, as we > got further into the (very long) survey we were asked lots of questions about > our network infrastructure, firewalls, IDS, wifi and antivirus policies, even > scanning our network... lots of things that seem more appropriate for (say) > Authorize.net than for our pokey little shop. It really left me wondering if > we had been sent the wrong survey. Anyway I guess I'm just looking for a > sanity check before we finish and submit this. Any thoughts? > > Thanks much! > Roy > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
