If in a production environment (webservers, DB's, custom app servers) that all share a similiar subnet or can route to one another from inside how would i define the environment for credit cards. PCI DSS states for example in 5.1that antivirus needs to be running on the systems..etc. What are the systems? Just the systems that credit card data would pass through? In our production environment, which consistst of up to 100 servers, half of them perform other functions and would not see credit card data, do they need AV even if they can be seen via the same subnet or other internal routing from systems that do pass credit card data? Same for IDS, can we IDS certain systems or the whole environement?

I ask this, not that we wouldnt plan on doing a full roll out, but rather to meet deadlines and budget for the time being.

Any thoughts?

I see numerous compliance challenges.
From your post, your site doesn't appear to have firewall segregation between web/app and database servers - thats a PCI requirement.

No AV on 100+ servers is going to be an issue, regardless of PCI. If the server operating systems are commonly targeted for virus and worms, then you have a PCI issue. Many viruses/malware drop backdoor and rootkit infection, thus one infection can become a covert access point to the core of the production network.

With all production servers on a common subnet means essentaily that all are in scope of PCI.

Does this help?

Lyal

A few important things to always keep in mind is that:
(1) strong network segmentation can reduce the scope of PCI, and
(2) all of the PCI DSS controls apply only to the area/people/network/policies/processes that have been scoped out for PCI

This means, it is important to define the scope early and correctly.