Computers in-scope for PCI DSS

Jim Balo asked:

I am trying to determine what servers & workstations, etc. that are in-scope for PCI compliance. PCI DSS SAQ-D states that any devices that “store, process or transmit cardholder data” are in scope.

So how about computers used by an accounting department to login to the bank’s Website where full card numbers can be viewed. The computers do not themselves store, process or transmit cardholder data.

Are these accounting computers in-scope?

My answer:

I presume you mean that the accountants are seeing cardholder data for people other than themselves. The computers do store and transmit, or cause to be transmitted, cardholder data in this scenario. (Which is the same reason I have a second isolated network at home; one of my personal computers is considered in scope for PCI-DSS due to some work I do.)

The PCI DSS makes it clear that these apply to computers used by anyone who has access to cardholder data, including laptops or mobile devices allowed to connect to the cardholder data environment. It also specifies that the PAN should only be displayed in full to people who have a legitimate business need to see it. This may or may not include your accountants.

Consider an attacker who trawls through the accountants’ browser caches, for instance, or an employee who is accessing the data to spirit it out of the network and sell it to someone in eastern Europe (a harder problem). This brings them in scope.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.