30 Days of Compliance Q&As #18: Does This Device Have To Be Monitored for PCI?

Whether you are just starting on the path to PCI compliance, or you are a PCI veteran, the same old question always comes up.

“Does this device need to be part of our PCI monitoring?’

The answer to this question is not always as simple as “yes” or “no”, and often falls in the “it depends” category. As a general rule, all servers and devices that are part of the processing, transmission, or storage of card data are subject to PCI compliance.

1. Let¹s start with processing. This includes all applications that process, store, or transmit card data including, but not limited to, POS systems, e-commerce shopping carts, and any other software that has been designed to touch card data.
2. Transmission of card data occurs next. This includes all devices involved in getting the card data from the front end processing to storage.Either way, all servers and devices (applications, servers, switches, routers, firewalls…) are part of the transmission.
3. Storage is the final requirement, but may not be the last step in card data processing.

Also be aware that by using a third-party payment party, you are not automatically excluded from PCI requirements. Although you may not be doing anything with the card data, if you transmit it then PCI requirement still apply. To facilitate your PCI compliance, start by understanding where your payment card data flows for the entire transaction process. All devices involved in the processing, transmission, and storage are subject to PCI compliance.

Think like a hacker … “How could I get data from this app/server/device?”

If you can think of a potential way of getting card data, then it is most likely subject to PCI compliance. If you are still unsure about a server or device because of a special circumstance, or a non-standard payment flow, consult with your PCI auditor. Your PCI auditor will have the final say. It is also easier to get your PCI auditor involved early so that it is done right the first time.

AccelOps’ out-of-the-box PCI business service and PCI compliance suite gives you full stack visibility into the applications, servers, network, and devices that are subject to PCI security, performance, availability, and change compliance.

Want to learn how AccelOps take the pain out of your PCI compliance? If so, contact us. We’re here to help.