CHAPTER 2: WHAT IS THE SCOPE OF THE PCI DSS?

The PCI DSS is applicable if you store, process or transmit cardholder data, or if you are responsible for third parties that store, process or transmit cardholder data. It also applies if you are involved with or can affect the security of the storage, processing or transmission of cardholder data. The cardholder data environment (CDE) is any network that possesses cardholder data or sensitive authentication data. It does not apply to your organisation if primary account numbers (PANs) – the up-to-19-digit credit card numbers – are not stored, processed or transmitted. The PCI DSS applies to any type of media on which card data may be held – this includes not only hard disk drives, floppy disks, magnetic tape and back-up media, but also embraces printed or hand written credit and debit card receipts where the full card number is printed. These receipts are sometimes held by merchants as a paper record of the transaction and may be used for voucher recovery purposes or as evidence of the transaction if the acquirer issues a request for information (RFI). If the card number is recorded in full, then the record is subject to the same security requirements as electronic copies, and therefore the receipts must be stored securely.

Retailers must also secure all other areas where card details may be stored, processed or transmitted. EPOS systems are worthy of particular note. While newer EPOS systems store card details securely, many older EPOS systems do not. If the equipment does not store it securely, or there is uncertainty about whether it is secure, then retailers should take firmer measures to protect the equipment, or upgrade to equipment that meets PCI DSS standards.

The PCI DSS applies to all processes, people and technology, and all system components, including network components, servers, or applications that are included in or connected to the CDE, and those that can affect the security of the cardholder data. It also applies to telephone recording technology used by call centres that accept payment card transactions. Shopping carts and payment processing facilities are examples of applications to which the PCI DSS applies (also see Chapter 12 on the Payment Application Data Security Standard (PA-DSS).

While not a specific requirement, the PCI DSS strongly recommends that any merchant or service provider reduces the scope of its CDE. This reduces the cost and complexity of both the initial assessment and the maintenance of PCI controls. Reducing the scope is typically achieved by isolating (network segmenting) the CDE. Given the complexity of modern IT networks and applications, we advise that you seek the advice of a qualified PCI DSS consultant prior to completing this activity.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.222.110.5