We have two methods of taking payments.

One is a direct card present system transmitting the payment details across the network to a central server. We intend to cut down the scope for compliance by segmenting this server and all the workstations that connect to it to transmit data. This would give us a manageable environment for PCI compliance of a few dozen machines at various sites.

The question I have relates to the second system and whether these machines would be in scope. Basically it is a web based system on the Internet that our call centres etc connect to using https and directly input card details given to them over the telephone.

The hosted payment system is PCI compliant at the server end, however as our users are inputting the card details on our machines and they are traversing our network before the internet does this bring all of those (100's) of machines into the scope for PCI compliance.

These machines are necessarily connected to the rest of our internal network and therefore if they were in scope the whole network would be.

Thanks in advance for any guidance.

The workstations should be in scope. The question is to what extent? If there is no storing or caching at all at the workstation side, there are areas such as, policy, awareness, physical security (since the users are collecting card-holder information from the client and possibly can write on paper, etc.), voice recording (common amongst the call centers), etc.- that need to be controlled.

Any QSA feedback?

Plainly, the first method for accepting payments is fully in scope for PCI-DSS compliance.

In the case of the second method, my hunch is the remote stations that are entering CH information over the Internet would be in scope as well.

This based on the argument that: i.) since the remote stations belong to the merchant; and ii.) they could be physically accessed and compromised in the right (negligent) circumstances; that they are in scope. As well, if any cardholder data is logged or otherwise stored on the remote call center stations, we have yet another potential security issue that needs investigation.

All public facing web-based applications that are accessed over the Internet have their own unique set of security requirements which are clearly spelled out in various sections of the PCI security standard. However, it's unclear what, if any, special functionality may have been built into the application for the call center's use.

I think more information is needed concerning the details of the web application being used by the call center plus a clear understanding of what is transpiring on the call center stations in order to make a proper scope determination.

Basically it is a web based system on the Internet that our call centres etc connect to using https and directly input card details given to them over the telephone.

Who owns these workstations? If the call centre is outsourced, they are in scope for compliance, but you need to get the call centre (service provider) to do any remediation via service agreement (12.8.x) and all related services/functions.

lyalc

Basically it is a web based system on the Internet that our call centres etc connect to using https and directly input card details given to them over the telephone.

Further to lyalc's point, I'd be curious to know what other apps might be on the call center workstations, e.g., web browsers (not locked down), open USB ports, etc.

Also check out both voice logs and recordings made for QA purposes. They can contain not only PANs but also stuff like CVV2/CVC2 data if not truncated properly.