Hi,

I am presently looking at feasibility of pci dss implementation in my organization. My team accesses the customer systems via Citrix (which is also within the purview of the client). The access is purely read only access. No local storage of data is possible. We are concerned about the fact that, my team can view the client' customers' card holder information, would oblige us to be PCI DSS compliant. Kindly share your thoughts/suggestions/advice on this.
Any help on this front is appreciated.

Thanks in advance!

Yes the Citrix environment is certainly in scope for PCI-DSS compliance.

Remember the high level test for PCI-DSS inclusion/exclusion uses three functions, namely: i.) storage; ii.) processing; and/or iii.) transmission of cardholder information.

While your Citrix implementation may preclude the storing of cardholder information it does not eliminate the other two, i.e. processing and transmitting

Every Citrix-enabled workstation with access to the cardholder environment, transmits the cardholder data back and forth between the Citrix server and the workstation and processes the data as it arrives by formatting the presentation layer, serving up sensitive cardholder information for anyone's viewing and use.

Hi,

Thanks for your response. Can you please elaborate more on this or provide me some reference/link regarding the same as I am still not convinced as to why our organization should go for PCI DSS compliance. I would like to repeat that, we can only view the cardholder information. We cannot transmit it to our machine / store locally.

Hi,

Thanks for your response. Can you please elaborate more on this or provide me some reference/link regarding the same as I am still not convinced as to why our organization should go for PCI DSS compliance. I would like to repeat that, we can only view the cardholder information. We cannot transmit it to our machine / store locally.

If your staff can view (and view is the operative verb) cardholder information on your Citrix-enabled workstations/ notebooks, pray tell, how does it get there if it is not transmitted.

Secondly, if your staff can view sensitive cardholder information, so can anyone else with physical access to one of these workstations. Hence the potential for a security breach that must be analyzed by a QSA or equivalent to ensure that such risks are eliminated or at least controlled.

Moreover, as your QSA, I would be inquiring why your group needs access to the production cardholder environment (see below).

A simple way around the need for PCI-DSS compliance in your group is don't give them access to the cardholder environment - then you can go Citrix crazy.

It's not clear what your group is responsible for, but also remember Requirement 7.1, access to cardholder data must be limited to those individuals whose job requires such access.

Hi,

Thanks for the clarification. I was wondering if I can ask the client to mask the card holder data adequately before providing access to my team :D. Hope, 'IF' the client agrees, we may no longer need to bother about PCI DSS compliance...Cheers!

Hi,

Can you please tell me if the PCI DSS controls related to Firewall (1.3,1.4,1.5), IDS & IPS would be applicable in our scenario?

Thanks in advance!

Hi,

Can you please tell me if the PCI DSS controls related to Firewall (1.3,1.4,1.5), IDS & IPS would be applicable in our scenario?

Thanks in advance!

In order to answer this question, a detailed understanding of your network architecture and overall technical infrastructure would be required.

I think the point with Citrix (the point the Infrastructure teams make anyway) is that it is not supposed to be transmitting cardholder data (or any data for that matter). It is transmitting screen shots of a terminal server, so a man-in-the-middle attack would not be able to extract any cardholder data from a captured packet. I'm no expert on Citrix, but it is reasonably secure, especially when using tunneling technologies.

That said, there is still risk around what the authorized user is doing with the screen shots, and it's not terribly difficult to save a bunch of captures and then run OCR on the images to port the data into a database. The risk with Citrix typically involves:

Insider abuse of privilege
Insecure Citrix server (backend) with poor patch management and /or change control getting compromised, and having access to all the goodies.