Tenable does a lot of ASV PCI scanning these days. One thing that surprised me when we started doing this a few years ago was that anything on your perimeter is considered in scope. You could have your ecom server sitting next to a support portal one IP address off which has no physical, virtual, shared backend connectivity and it will still be in scope.
I agree with the other comments about limiting scope internally. If you haven't done it yet, you might want to do a Nessus scan looking for credit card data on the inside of your network just to see where anything may be at. Ron From: Kevin <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>>, PaulDotCom List <[email protected]<mailto:[email protected]>> Date: Thursday, February 14, 2013 11:50 AM To: PaulDotCom List <[email protected]<mailto:[email protected]>> Subject: [Pauldotcom] Limiting Scope of PCI review Hi all - I know this isn't a PCI focused list, but I'm hoping it's PCI tolerant and someone can point me in the right direction. We are preparing to *begin* taking credit card payments from our customers, and since we've never dealt with them before, I'm kinda new to the whole PCI-DSS thing. After reading through all the 'stuff' on the pci site, it seems to me like it would make sense to limit the number of desktops, servers, routers, etc that are "in scope". The PCI QSA vendors don't seem to want to help me limit the scope - it's almost as if they make more $$ from having my entire network in scope... From reading the different SAQ's, it seems like we're already doing all the stuff they are asking for, I just want to limit our risk. Currently my (4) cashier workstations are spread across my 2 client networks, and have full access to typical client facing network resources (exchange, sharepoint, various other non-customer service related web apps, etc) The CC payment processor we are going to use has recommended installing a USB swipe reader hooked to some sort of virtual terminal (active x based) on each of the 4 PC's, and frankly that gives me the heebe-geebes. Our finance director is pushing to go live sooner than later. What types of techniques can be used to limit the scope? Am I overly worried about this? If I go live now and reduce scope later, would my entire network be in scope for this first year? Thanks in advance for any pointers you can offer. Kevin
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
