12

We currently process, but do not store, credit card data. We authorize the cards via a self developed application using the authorize.net API.

If possible, we would like to limit all requirements of PCI that effect our servers (such as installing Anti-Virus) to an isolated separate environment. Is that possible to do while still maintaining compliance?

If so, what would constitute sufficent isolation? If not, is there somewhere where that scope is clearly defined?

Jeff Ferland
  • 20,239
  • 2
  • 61
  • 85
Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
  • What PCI compliance level are you trying to achieve? If you stick with level 4 you just need a self assessment questionnaire and to be scanned against known vulnerabilities. simple. – Ryan Aug 23 '11 at 00:46
  • @ryan The SAQ isnt a magic bullet. Its the same requirements as having an auditor come in. You just dont have to have an external party come in and verify your work. – Zypher Aug 23 '11 at 03:31
  • 1
    My point was the PCI level determines restrictions. Level 4 does not require separated services because you are not storing card holder data. – Ryan Aug 23 '11 at 20:01
  • @zypher see http://www.pcicomplianceguide.org/pcifaqs.php#6 "merchants with payment application systems connected to the internet, **no cardholder data storage**" -- which means [PCI self assessment questionnaire C](https://www.pcisecuritystandards.org/documents/pci_saq_c_v2.pdf) is the correct one in that case. – Jeff Atwood Aug 26 '11 at 12:12

2 Answers2

9

The last time I read the PCI standards, they had the isolation requirements pretty well stated (the technical term in PCI language is to reduce the scope of the PCI compliant environment). So long as those flagrantly un-compliant servers have zero access to the compliant zone, it should fly. That would be a network segment that is fully firewalled from your normal network, and the rules on that firewall are themselves PCI-compliant.

We did much the same thing ourselves at my old job.

The key thing to keep in mind is that from the perspective of the PCI-compliant zone everything not in the zone is to be treated like the public Internet, no matter if it is also the same network that also warehouses your corporate IP. So long as you do that, you should be good.

jamiescott
  • 64
  • 5
sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
  • I assume that access goes both ways? So for instance in the case of Windows, we would need a different domain and user accounts etc? Since neither env could use the other for auth? – Kyle Brandt Aug 22 '11 at 21:55
  • @KyleBrandt We never had any Windows subject to PCI-DSS, but due to how AD works: yeah, separate environments there as well. You might want to drop some of the clarifying questions over at security.se just in case. – sysadmin1138 Aug 22 '11 at 21:59
6

This is actually quite common. We routinely refer to/designate computers as "in-scope for PCI".

Also, "clearly" is sometimes not part of the PCI lexicon. The language can be vague. We have found that sometimes the simplest approach can be to ask the auditor if a proposed solution would work. Consider the following from the PCI-DSS V2:

"Without adequate network segmentation (sometimes called a "flat network") the entire network is in scope of the PCI DSS assessment. Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists, or other technologies that restrict access to a particular segment of a network."

Does that mean that a normal network switch meets the requirements? It would be easy for them to say so, but there you go. It is "other technologies that restrict access to a particular segment of a network." Another of my favorites about scope:

" ...Applications include all purchased and custom applications, including internal and external (for example, Internet) applications. "

I'm not sure about the AD part, but we do have HIDS and antivirus on all of our DC's, so I suspect that it may be.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81