Hi,

I do have a question regarding the mandatory network scans four times a year. If my cardholder data environment consists only of a few terminals and a server (within the same VLAN) and I do not have any web-facing applications, what do I need to get scanned by a QSA? (the cardholder data environment is not accessible via internet).

Hope anybody can give me some hints (tried to call the PCI SSC, but without any success)

regards,
Dominik

Regardless of whether you have Internet facing PCI applications or not, you still must get an external scan of your Internet connection (router , firewall, etc.) performed by an Approved Scanning Vendor (ASV) on a quarterly basis. Just because you do not have a PCI application does not mean that an attacker would not or could not compromise your network from the outside.

On the inside, you, your QSA, your ASV or other qualified person/company can conduct the quarterly scans of the internal computing assets that compromise your PCI environment as long as your PCI assets are truly segregated from the rest of your network. If the PCI assets are not properly segregated, then the network that contains the PCI assets should be scanned in its entirety.

How can you possibly mandate quarterly external scans against a self regulated compliance initiative that specifically targets cardholder data environments if those environments do not extend into a public facing network (ie. Internet)?

Surely PCI DSS only extends to the identified cardholder data environments and their boundary security control points. Anything beyond that is out of scope.

First of all, thanks for your replies!

But, where does that leave us? I'm having a bit of a hard time seeing the point in scanning an internet connection that is separated from the card holder environment.

regards,
Dominik

Let me quote from the Standard: "These security requirements apply to all 'system components.' System components are defined as any network component, server, or application that is included in OR CONNECTED TO [emphasis provided] the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data."

As I read the original question, since you have an outward facing system and it seems to be "connected" to your card processing system, it sounds like you need to have it scanned.

If you have a system within a public facing DMZ that stores, processes or transmits cardholder data then all systems within that DMZ become part of the cardholder data environment and all publicly accessible IP addresses require quarterly external scans, even if the system itself does not publicly accessible directly.

If you have a DMZ that has no cardholder data processes, storing or transmitting systems within it then it's out of scope for PCI DSS and does not require quarterly external scans of any publicly accessible IP addresses of systems within it.

Just because a PCI system is not in a DMZ or is Internet facing does not necessarily imply that it does not have access to the Internet. Even if it's not Internet facing, it likely has Internet access and therefore you need to make sure that whatever measures are in place to protect it are functioning appropriately.

Regardless of what exact working of the PCI DSS is, best practices say that you need to test such Internet connectivity periodically to make sure that whatever protective measures you have for your internal network are properly functioning. Remember, firewalls, routers, proxies, switches and the like also get patched these days and you cannot be absolutely sure that those patches have not created a security issue without periodically scanning those assets.

So, performing quarterly scanning of an organization's external firewall and other assets is just the right thing to do to ensure that those assets and the assets they protect are still appropriately protected.

Remember, TJX got into their situation because of an improperly configured wireless access point. If they had just done a wireless assessment on their stores as suggested by best practices and the PCI DSS, they would have discovered this fact and maybe avoided their situation.

Based on the previously suggested approach, if a security patch or other change opens a security hole in the organization's Internet security measures, you will never recognize it until the next scan which could be six months, a year or even more down the road based on my experience with the merchants that I've dealt with prior to the PCI DSS. In today's 'zero-day' world, even three months is an eternity which is why most of my clients are scanning every month even when they do not have any e-Commerce presence.

Therefore, regardless of deliberately Internet facing PCI applications, if PCI systems have access to the Internet, external testing needs to be performed quarterly to ensure that even those internal systems are not inadvertently Internet facing due to an error or hole in security.

You're moving into the realms of security best practice and away from PCI DSS requirements.

The scanning requirements were updated last year when I was at MasterCard. the scans apply to Internet Facing IPs only. That being said, if the Carholder Data Environment is properly segemented and is not visible from teh Internet, then scans are not required. For those asking why I am so sure about this...I helped re-write that part of the scanning document.

The key is segmentation of the CHD environment. Not internet facing IPs, no scans are required.

Thanks for the clarification.

Risky practice, but I'll go with that interpretation for the future.