I have a POS system with the following characteristics.


Data is stored on PC labeled CHD
POS Terminals transmit data to CHD Server (not *stored* locally)
POS Server doesn't contain CHD (auto truncated from POS Terminal)
POS Terminals transmit data to Server on one port (sales data)
One LAN segment contains POS Terminals & CHD PC
One LAN segment contains POS Server & Other PC's requiring Internet Access


The LAN Segments are bridged, with only one port transmitting data between LAN segments. Both LAN segments have WAN access (NAT'ed, of course).

Does this take the segment that doesn *not* contain CHD out of scope? This would be the POS Server (no CHD) and other PC's (inventory), pricing, etc.

This would leave the POS Terminals and the PC doing the processing and storing of CHD in scope, correct?

What side of the link is the CHD truncated (at the POS Server or the POS Terminal)? If the server does the truncation, then it is in-scope as it is receiving cardholder data (even briefly).

Is there a firewall between the 2 LAN segments? If not, they are probably not segregated enough to take one of them out of scope.

When you say both LAN segments have WAN access, do you mean access to another location in your infrastructure or do you mean Internet access? If it's Internet access you could have issues there. If it is to other internal LANs then those LANs may come into scope too.

What side of the link is the CHD truncated (at the POS Server or the POS Terminal)? If the server does the truncation, then it is in-scope as it is receiving cardholder data (even briefly).

Is there a firewall between the 2 LAN segments? If not, they are probably not segregated enough to take one of them out of scope.

When you say both LAN segments have WAN access, do you mean access to another location in your infrastructure or do you mean Internet access? If it's Internet access you could have issues there. If it is to other internal LANs then those LANs may come into scope too.

1. Truncation is done at the POS terminal (actually via payments DLL, POS app actually doesn't see full PAN either). Server *never* sees full PAN or any CHD.

2. Firewall located between two segments. Firewall has 3 ports. WAN, LAN, OPT1. WAN is internet, LAN is regular network and OPT1 is CHD environment. Only traffic passed between LAN and OPT1 is one single port.

3. Both have Internet access. Currently, in my network, but in Production it is Internet. CHD server (OPT1) needs Internet for authorization. LAN needs internet access for ordering.

I say this a lot but the test of any segmentation (be it network, operational, physical, etc.) is if can prevent systems on one side of the segment from negatively impacting the security of cardholder data on the other side.

Examine the attack vectors and make a determination.

Everything seems locked up tight. I will continue to beat on it. Thanks for all input!