Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Elemental
Newcomer II
‎10-20-2021 09:13 AM
‎10-20-2021 09:13 AM

PCI DSS - Query

Hi all

In a previous life I was a PCI DSS auditor. I want your opinion on the following:

My organisation processes all pan / credit card numbers using a dedicated / external company / payment gateway.

We do not actually store credit cards on our network.

I have just inherited PCI DSS compliance… and people are pumping resources at it and running around like chooks with their heads cut off!

We even have a PCI QSA/ assessor telling me we need to “scan” our entire network (thousands of systems), to prove we don’t have any credit card numbers… but my argument is that are been audited and subjected to a standard… that isn’t applicable! !!! Because we don’t process PANS on our network.

What are your thoughts

Luke
Reply
0 Kudos
5 Replies
denbesten
Community Champion
‎10-20-2021 10:39 AM
‎10-20-2021 10:39 AM

I would reach out to the external company requesting assistance answering the auditors. They should be able to help you identify what belongs on them, what belongs on you and how to best respond.  

 

Reply
0 Kudos
bkwalker
Newcomer III
‎10-21-2021 11:23 AM
‎10-21-2021 11:23 AM

As I understand it SSF is making it harder to keep systems out of scope, it sounds like you are undergoing SSF not PA-DSS?

We've been PA-DSS certified since it started, never had to scan outside the limited scope of the software/hardware that handled CC's.
Reply
0 Kudos
rbrenis
Viewer
‎10-21-2021 12:31 PM
‎10-21-2021 12:31 PM

You may not be processing any credit card data, but who has the encryption keys when sending to your processor.  

 

Main question to ask is "can my company see any credit card data (pan, cvv)?  If you can prove you can't see any of this data, everything should be out of scope.  If you can't prove this then I understand why the assessor wants you to scan everything.

Reply
0 Kudos
Steve-Wilme
Advocate II
‎10-22-2021 06:34 AM
‎10-22-2021 06:34 AM

If you're using a hosted payment page linked from your website or are using end to end encryption from PEDs to your payment provider then your scope of compliance work is much reduced but not entirely eliminated.  Completing the SAQ questionnaire should indicate where you need to focus.  In term of card holder data discovery it's still worth doing, because there could still be legacy card data somewhere on your IT estate that has been retained in error.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Reply
0 Kudos
L3strl-ma
Viewer II
‎10-26-2021 12:33 PM
‎10-26-2021 12:33 PM

Even though you do not process credit card transactions, you could have pans stored on your network in emails, reporting, and spreadsheets. Associates could download the data from the third party, copy the pan from the screen, or receive it from the customer during a support call. I am sure that the assessor had run into this before and wanted to make sure it was not an issue on your network before certifying it. The project to correct this can be very time consuming.
Reply
0 Kudos