awakenings
asked on
PCI Questions
I have a few PCI questions;
I am working on a point of sale environment so I have some questions. I know you can download PCI DSS 2.0 for free so I have looked at that.
1. Is logical separation between PCI compliant and non PCI compliant systems? For example, if you have a 5609 with a firewall blade, is that sufficient? Is a firewall sufficient? If not, is a full physical separation enough?
2. If no PCI data comes from the Internet, doers one need to set up a DMZ to ensure the data is properly protected? Basically the data flows from POS to processing systems. I don't know how the data is divided on those systems, but do you need a DMZ in that case?
3. If another company is programming your PCI applications, wouldn't the responsibility be pushed off to the company programming the apps for things like the OWASP top 10?
I am working on a point of sale environment so I have some questions. I know you can download PCI DSS 2.0 for free so I have looked at that.
1. Is logical separation between PCI compliant and non PCI compliant systems? For example, if you have a 5609 with a firewall blade, is that sufficient? Is a firewall sufficient? If not, is a full physical separation enough?
2. If no PCI data comes from the Internet, doers one need to set up a DMZ to ensure the data is properly protected? Basically the data flows from POS to processing systems. I don't know how the data is divided on those systems, but do you need a DMZ in that case?
3. If another company is programming your PCI applications, wouldn't the responsibility be pushed off to the company programming the apps for things like the OWASP top 10?
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Ah ok... On #2 it does go to a credit card company. I have to check about other companies. Is it ok if it goes through a core before it hits a DMZ?
#3 is clear.
Thank you very much! I'll give points just after this. I'll be back in a few hours though.
#3 is clear.
Thank you very much! I'll give points just after this. I'll be back in a few hours though.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thanks. 1 is very clear.
2 gets me thinking. I fear that a client has no separation between the servers that get the data and a database back end (from my initial understanding), but it sounds like a DMZ is important still. The way they have it (and I still scratch my head on this) is they have lots of networks that connect it at one side of the core, then the "dmz" (firewalled systems) are at the other through a core network.
3. So when writing a response to PCI, they don't need to worry as they are buying a package. If they company was programming the app, then they would need to worry.
Am I getting all this right?