I read another question which made me think...
If you encrypt PCI data (credit card numbers, etc.) using PGP or AES and send it through a firewall, is that firewall in scope?
Alternatively, what if you only use a data-in-motion security mechanism like SSH or TLS, would that same firewall be in or out of scope?
Perhaps I can add more context.
Sure, our "PCI Area" firewall is in scope, but what if a firewall separates two different Intranets, and the encrypted PCI data (using either method) passes through it to get to another server. For instance, it passes through our "PCI Area" firewall and our "Intranet 2" firewall to get into Intranet 2.
PCI says that anything that "stores, forwards, or processes" credit card data should be in scope. Does Intranet 2 firewall do those? It definitely routes/forwards the data stream, processes the packets, and stores some information in its logs, but I'm not sure if any of those are actually PCI scoped because the information is encrypted. It's not actually handling any raw PCI data, it's handling encrypted information.
You could make the argument that the encryption is reversable, and therefore could still be PCI, but I'm not clear on where that sits from a QSA's perspective.
I am inclined to treat all networks as PCI, and to layer on additional security mechanisms as I see fit, however I'm trying to figure out priorities should lie for companies that need to be PCI compliant.