topic Re: PCI DSS - Query in Governance, Risk, Compliance

PCI DSS - Query

Elemental — Wed, 20 Oct 2021 13:13:03 GMT

Hi all

In a previous life I was a PCI DSS auditor. I want your opinion on the following:

My organisation processes all pan / credit card numbers using a dedicated / external company / payment gateway.

We do not actually store credit cards on our network.

I have just inherited PCI DSS compliance… and people are pumping resources at it and running around like chooks with their heads cut off!

We even have a PCI QSA/ assessor telling me we need to “scan” our entire network (thousands of systems), to prove we don’t have any credit card numbers… but my argument is that are been audited and subjected to a standard… that isn’t applicable! !!! Because we don’t process PANS on our network.

What are your thoughts

Luke

Re: PCI DSS - Query

denbesten — Wed, 20 Oct 2021 14:39:25 GMT

I would reach out to the external company requesting assistance answering the auditors. They should be able to help you identify what belongs on them, what belongs on you and how to best respond.

Re: PCI DSS - Query

bkwalker — Thu, 21 Oct 2021 15:23:48 GMT

As I understand it SSF is making it harder to keep systems out of scope, it sounds like you are undergoing SSF not PA-DSS?

We've been PA-DSS certified since it started, never had to scan outside the limited scope of the software/hardware that handled CC's.

Re: PCI DSS - Query

rbrenis — Thu, 21 Oct 2021 16:31:08 GMT

You may not be processing any credit card data, but who has the encryption keys when sending to your processor.

Main question to ask is "can my company see any credit card data (pan, cvv)? If you can prove you can't see any of this data, everything should be out of scope. If you can't prove this then I understand why the assessor wants you to scan everything.

Re: PCI DSS - Query

Steve-Wilme — Fri, 22 Oct 2021 10:34:36 GMT

If you're using a hosted payment page linked from your website or are using end to end encryption from PEDs to your payment provider then your scope of compliance work is much reduced but not entirely eliminated. Completing the SAQ questionnaire should indicate where you need to focus. In term of card holder data discovery it's still worth doing, because there could still be legacy card data somewhere on your IT estate that has been retained in error.

Re: PCI DSS - Query

L3strl-ma — Tue, 26 Oct 2021 16:33:18 GMT

Even though you do not process credit card transactions, you could have pans stored on your network in emails, reporting, and spreadsheets. Associates could download the data from the third party, copy the pan from the screen, or receive it from the customer during a support call. I am sure that the assessor had run into this before and wanted to make sure it was not an issue on your network before certifying it. The project to correct this can be very time consuming.