I am with an organization that is starting on the PCI project. We have 3 sites geographically separated that are connected via point to point connections. Only the main site stores the card holder data. The other two sites have workstations that connect to the card holder data environment via encrypted connection. No card holder data is stored at these two sites. We need all 3 sites to be PCI compliant.
Based on the information above, we have a few questions...
1. We understand that the 2 sites that do not store card holder data are in scope, however, do we just need to harden those environments or do we need to go through each PCI requirement and ensure it is met? We understand we have to do that for the main site. We have a firewall on each end of the connection. Each port that is required from the two sites to the main site is document and justified.
We are using the PCI scoping toolkit to define the scope. Our understanding is that category 2 devices do not need the same level of security as category 1 devices. (category 2 devices - workstations at those 2 sites)
2. We understand that risk assessment is requirement for the PCI. Since we are just implementing it, when should we conduct a risk assessment? At the beginning when we define the scope or at some later time?
3 .Should we go through the SAQ to see where we stand (gap analysis) before or after the risk assessment?
Thank you very much for your help!!!