cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Elemental
Newcomer II

PCI DSS - Query

Hi all

In a previous life I was a PCI DSS auditor. I want your opinion on the following:

My organisation processes all pan / credit card numbers using a dedicated / external company / payment gateway.

We do not actually store credit cards on our network.

I have just inherited PCI DSS compliance… and people are pumping resources at it and running around like chooks with their heads cut off!

We even have a PCI QSA/ assessor telling me we need to “scan” our entire network (thousands of systems), to prove we don’t have any credit card numbers… but my argument is that are been audited and subjected to a standard… that isn’t applicable! !!! Because we don’t process PANS on our network.

What are your thoughts

Luke
5 Replies
denbesten
Community Champion

I would reach out to the external company requesting assistance answering the auditors. They should be able to help you identify what belongs on them, what belongs on you and how to best respond.  

 

bkwalker
Newcomer III

As I understand it SSF is making it harder to keep systems out of scope, it sounds like you are undergoing SSF not PA-DSS?

We've been PA-DSS certified since it started, never had to scan outside the limited scope of the software/hardware that handled CC's.
rbrenis
Viewer

You may not be processing any credit card data, but who has the encryption keys when sending to your processor.  

 

Main question to ask is "can my company see any credit card data (pan, cvv)?  If you can prove you can't see any of this data, everything should be out of scope.  If you can't prove this then I understand why the assessor wants you to scan everything.

Steve-Wilme
Advocate II

If you're using a hosted payment page linked from your website or are using end to end encryption from PEDs to your payment provider then your scope of compliance work is much reduced but not entirely eliminated.  Completing the SAQ questionnaire should indicate where you need to focus.  In term of card holder data discovery it's still worth doing, because there could still be legacy card data somewhere on your IT estate that has been retained in error.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
L3strl-ma
Viewer II

Even though you do not process credit card transactions, you could have pans stored on your network in emails, reporting, and spreadsheets. Associates could download the data from the third party, copy the pan from the screen, or receive it from the customer during a support call. I am sure that the assessor had run into this before and wanted to make sure it was not an issue on your network before certifying it. The project to correct this can be very time consuming.