I have a couple of questions regarding the scope of PCI DSS v1.2 against our standard network topology. We have the payment system, back office and pos on a segregated network. Do we have to run compliance on the BO and POS since there is no card-data on those two machines?

Also, we are a systems development company with ~2,500 systems installed in the field. We provide support and have two-way ftp communications with most of the systems. Who is responsible for PCI compliance of these systems, the company that maintains them, or the company that owns them?

Thanks!

I have a couple of questions regarding the scope of PCI DSS v1.2 against our standard network topology. We have the payment system, back office and pos on a segregated network. Do we have to run compliance on the BO and POS since there is no card-data on those two machines?

It depends on the level of segregation and any communications between these networks. I'm assuming that you've ruled your payment system in scope, so I won't discuss that system.

It's not unheard of the POS network not having access to cardholder data (CHD), but without more information, I cannot say that your POS would be out of scope. As long as the POS does not process, store or transmit CHD in any way, then it would be out of scope. This would hold true with your back office environment as long as it too does not process, store or transmit CHD.

Also, we are a systems development company with ~2,500 systems installed in the field. We provide support and have two-way ftp communications with most of the systems. Who is responsible for PCI compliance of these systems, the company that maintains them, or the company that owns them?

The owner of those systems are ultimately responsible for those systems' compliance with the PCI DSS.

HOWEVER ... Your organization has support and access to these systems, so you also share some PCI compliance responsibilities regarding these systems if your personnel are access systems that process, store or transmit cardholder data (CHD).

If that is true, then you need to be using two factor authentication to access these systems and all communications need to be through encrypted channels such as SSL, IPSec, SSH, etc. Your relevant support processes also need to comply with the PCI DSS such as change management, monitoring, or any other services you provide that are covered under the PCI DSS. And all of your employees that are involved in providing these services must be made aware of their responsibilities under the PCI DSS.

DanB, the scope of compliance includes those systems that "store, process, or transmit" payment card data and any "connected systems". The thought process is to include any system that could negatively influence the security of payment card data.

If you have removed these systems, their access, and users from the scope in such a way that they could not harm payment card data then they might be removed from the scope of compliance. I say "might" because scope is highly environment specific.

If you would like to know more about this and other nuances within payment card security and PCI you might want to register for the CPISM/A certification (http://www.paymentsecuritypros.com/training-dates/).

If you would like to know more about this and other nuances within payment card security and PCI you might want to register for the CPISM/A certification (http://www.paymentsecuritypros.com/training-dates/).

mdahn - are there any locations in the UK that deliver this training? Alternatively is there an online study route?

Thanks,
Phil

We (Mike and I are business partners) are going online with CPISM eLearning in the next few weeks. It has been a very long development cycle but it is almost finished. We are also planning on a few European classes in 2009 and are working through the details. We will keep you posted.