On Tue, Jan 24, 2012 at 10:37 AM, Robin Wood <[email protected]> wrote:
> On 24 January 2012 14:18, David Freedman <[email protected]> wrote: > >> I love Robin's point about being concerned with the assessor's abilities >> to explain why something is in scope and what is considered out of scope. >> We have recently gone through our yearly PCI compliance 2.0 and there was >> a big debate over what was in scope due to the differences between last 4 >> of a PAN and full track data. >> >> > One place I've found that isn't always automatically considered in scope > is log servers. People turn on full logging and the CC data gets sent off > to a separate machine then they forget to turn it off or to clear it down > later. Also backup locations, the SQL server either generates a SQL dump or > a binary backup of all the data and that is passed to a separate machine, > that machine isn't in the normal flow of data so people forget about it. > > Robin > Agreed. We already agreed that the log server and anywhere that data gets backed up to is considered in scope. Our issue was with a database that only stores truncated PAN (last 4) and no other CC data. If this is considered in scope then anywhere that has stored or the ability to view truncated PAN is in scope (so the whole network). Our last assessor did not think it was in scope. We have included this DB as an in scope system as per auditor request.
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
