Hello,

Thanks in advance for your advice on the following:

Situation: Cardholder data resides in Citrix Server and not on client. Client connects to the server to execute application to process card transaction from various locations. Should the Client be in Scope for all application PCI DSS, i.e., Physical Security, Vulnerability Assessment, Patch Management, Antivirus Deployment, Personal Firewall?

For some reasons beyond my grasp, certain QSA had advised this organization to exclude the client machine from scope and only focus on the server. My understanding from basic infromation security control is that only the transmission is secured here through encryption tunnel between the server and client. If the workstations are compromized, the server could be portentially compromised.

I would highly appreciate your view from QSA perspective.

Regards,

TK

Like you TK, I strongly disagree with your QSA's advice.

Firstly, it's rare one keeps cardholder information on the client in any situation - Citrix, Schmitrix.

The client is definitely within scope since it may become compromised, the Citrix application fired up and, potentially, you now have the keys to the kingdom.

A lack of client physical security, the use of weak or no client passwords and a gaggle of other potential security gaps could provide easy access through the client to the card processing application and then on and into sensitive cardholder information.

It really depends on how Citrix has been implemented. If you are using the traditional Citrix 'thick' client, then I would agree jonassono and the client computer is in scope.

However, if you are using the Web-based version of the Citrix client AND you do not allow data sharing between the client and the Citrix environment, then nothing truly resides at the client end, no data, no caching, no nothing.

Thanks Both.

The fundamental PCI-DSS security issue in this scenario is the fact the client has direct access to the card processing application and underlying cardholder data.

Citrix, Ericom WebConnect, Terminal Services or any other server-based computing solution has no bearing whatsoever on the need to verify the client or workstation is properly locked down and secured both physically and logically from accidental and/or unauthorized access to the card processing application and the underlying cardholder data.

Visualize: a client is located in an area accessible to the public, left unattended and logged into the card processing application.

I fail to see how one could respond to PCI-DSS Requirements 7 and 8 without an audit of the client environment. If nothing else, the auditor would need to examine the physical access security of the client.

Ergo, the client, thin, thick or obese, cannot be out of scope for a PCI-DSS compliance review.

So you're now extending the scope of PCI to every workstation in the world that access a cardholder data processing system. Hmm, I guess Amazon, ebay, Play and all the other ecommerce sites need to assess my home environment in that case - or is there some end user PCI compliance requirement in the small print of any end user usage/licences etc (I doubt it).

Just 'cause an end user has access to a payment processing application doesn't necessarily bring them in to scope. Technologically security controls around the cardholder data environments and/or applications that subsequently interface to the cardholder data environment should be sufficient to protect the central cardholder data, client access devices then require a mixture of either mandated technological or operational security requirements to mitigate the risk of the client being compromised.

Pragmatism around the end user client base, usage and requirements is a must.

So you're now extending the scope of PCI to every workstation in the world that access a cardholder data processing system. Hmm, I guess Amazon, ebay, Play and all the other ecommerce sites need to assess my home environment in that case - or is there some end user PCI compliance requirement in the small print of any end user usage/licences etc (I doubt it).

Just 'cause an end user has access to a payment processing application doesn't necessarily bring them in to scope. Technologically security controls around the cardholder data environments and/or applications that subsequently interface to the cardholder data environment should be sufficient to protect the central cardholder data, client access devices then require a mixture of either mandated technological or operational security requirements to mitigate the risk of the client being compromised.

Pragmatism around the end user client base, usage and requirements is a must.

I don't quite follow your logic, but let me try.

Your home client security controls are your responsibility and not the merchants. As an e-commerce customer, you would not have access to this merchant's internal payment application. You would be directed to the merchant's web application designed for e-commerce customers, with very a different set of functions and controls.

The clients that I am referring to: i.) are an integral part of the merchant's technical infrastructure, not out there somewhere on the other side of the cloud; and ii.) have direct and privileged access to the merchant's payment application and the database of underlying cardholder information.

May I respectfully ask anyone, as a QSA responsible for the preparation of a merchants SAQ D, how would you verify, document and sign off compliance with PCI-DSS Requirements 7 & 8 if the clients are out of scope. More specifically what is your response to Requirement 7.2.1 Coverage of all system components.

IMHO I suspect you would will encounter some resistance when the acquirer learns that all of the clients (points of entry) are out of scope, i.e. N/A in the 'Special' column and received no investigation or examination whatsoever.

The Citrix environment that I'm speaking of is a virtualized workstation environment. It's the virtualized workstation that has to comply with PCI, not the system that accesses the virtualized workstation. The system that accesses the virtualized environment is out of scope as long as it has no way to get data from/to the virtualized workstation.

There was another question today on the Citrix subject which lead me back here.

Regardless of Citrix, virtualized, sanitized or lobotomized, the workstations in question display sensitive cardholder information that can be viewed and used/exploited by anyone with physical access to the Citrix-enabled workstation environment.

While a Citrix-enabled workstation, in the present example, may not store cardholder information on a hard drive, cd/dvd or memory stick, it fails the other two criteria for PCI-DSS inclusion/exclusion, namely: i.) processing; and ii.) transmitting of cardholder information which they do both.

In the absence of strong logical and physical controls in the presently described Citrix-enabled workstation environment, anyone could, potentially, access sensitive cardholder information and use/exploit it in any way of their choosing.

Finally, the Citrix web site claims several products that will assist with PCI-DSS compliance through their implementation. There is no mention of PCI-DSS exclusion through a Citrix-enabled workstation environment.

So where does that leave us? Are workstations in or out? I'm seeing both sides of the case presented here, and our QSA gave a middle of the road response on the topic. That response was that for workstations in our home office (and therefore behind badge reader protected doors) that were used to access apps with PAN they would do a cursory review around anti-virus (that it was current on the workstations) and that the workstations were part of the domain (and thus accounts had all the 7 and 8 ID and password requirements enforced). That's it... no requirement by requirement walk through or expectations for logging, FIM, or any other requirements.

Is this enough? Or is this simply a sign that workstation scoping is not yet concretely defined?

I don't believe there is any stock or patent answer to the question as what may apply in your unique environment, may or may not apply in other cases.

I suggest you follow the advice of your QSA as he/she should have a much more in-depth understanding of your technical infrastructure, network design and application environment.

Moreover, if your QSA is performing the validation work "they (the QSA) would do a cursory review around anti-virus", they should be defining what is in/out of scope as they have to produce the final Report on Compliance for your acquirer.

Best of luck!!