I thought I saw a post that touched on this subject at one point in time, but I cannot seem to find it now; so pardon any repeated questions.

I have a merchant that has over 3000 retail stores running their POS software. We are currently talking with them about how they could segment their network to reduce the overall scope of their PCI review. Network traffic can freely flow from the internal corporate network to all the retail stores and visa-versa. Is it possible to segment all the backend systems away from the corporate network and still reduce the overall scope of the review without segmenting all the retail stores? The primary reason they do not want to segment the stores is because of the overall investment to do so.

I thought I saw a post at one point in time that said segmentation could be used on the backend systems to successfully reduce scope, without have to segment all the retail stores also. Thanks!

hi Npuetz,

one of my customers is in a similar situation, however when pressed, I discovered they have stores of various sizes, some so small, that they use the POS back office servers for email, internet and general workstn duties. I gather this is quite common talking to other QSAs.

These guys need to segment at the store. Anybody at the store could email out the database form the POS server etc.

As an ex pentester, I would have also tried to connect to the store LAN to see if I could add my rogue POS till, or plain old laptop with hacking tools. Another reason to segment and tie down the VLAN at the MAC address level to only set devices.