3

I need help about SAQ #C - Are quarterly internal vulnerability scans performed?

What is target (scope) for those internal scans?

Our configuration:

  • Router with modem (WAN1/LAN1), DMZ, some office computers are connected there
  • Wireless router, access point, which in fact is a bridge to LAN1, some office computers are connected via this router
  • Dedicated router - installed only to meet PCI requirements (LAN2, connected to WLAN1/LAN1)
  • Dedicated store www server - completely isolated network, in fully isolated VLAN (connected to dedicated router LAN2).

Basically only port 443 is opened, and forwarded to server. Network is fully isolated. We can manage our dedicated router only via serial cable or prepared eth2 interface only for managament (no device is connected there)

I can't even retrieve customer IP on www store server (where cardholder data is processed)

My question is: Which network should I scan? Do I need to scan everything? Do I need to scan office network as well? (which in my opinion would be ridiculous).

My concern is we have office computers which obviously won't pass internal scans on LAN1 - for example I have WAMP installation on my computer, but I don't really care about fact my WAMP installation has some vulnerabilities.

Our cardholder env. (which is our server) is behind three firewalls... (LAN1,LAN2,iptables)

Only way I can login to server's console is... direct, physical login (which is a little pain btw.) All ports except TCP 443 HTTPS are closed. SSH is disabled.

Knowing all root passwords there is no way to connect to card env. server. (our store)

Edit: Just performed internal scan (using asv tools), it found vulnerability issues in our printer!!! - this is ridiculous

user21886
  • 77
  • 1
  • 6
  • 1
    Re: printer - this is [deadly serious](http://security.stackexchange.com/questions/23691/attacking-an-office-printer) – Deer Hunter Mar 29 '13 at 15:41

2 Answers2

2

This is an issue I've been dealing with as well. The best answer I can suggest is to get the PCI scoping toolkit from http://itrevolution.com/pci-scoping-toolkit/. Anything level 1 or 2 is in scope for the scan.

Tim Brigham
  • 3,762
  • 3
  • 29
  • 35
0

First thing to do is double check you should be using SAQ C, that is vital as you can waste a lot of time.

Next you need to do what is called scoping, there is some detail in the 'PCI-DSS-C Quick Reference Guide'. Basically you need to define your Card holder Data Environment (CDE). Keep in mind this is not storage of the Cardholder data as SAQ C states:

"Merchants with payment application systems connected to the Internet, **no electronic 
cardholder data storage**"

So if your office machines can access card holder data (as listed in the same reference guide - section 3.6) this includes the Primary Account Number (PAN) and Expiration Date etc.. then this is part of your CDE and should be scanned.

Nathan Gautrey
  • 1