30 Days of Compliance Q&As #18: Does This Device Have To Be Monitored for PCI?

Whether you are just starting on the path to PCI compliance, or you are a PCI veteran, the same old question always comes up.

“Does this device need to be part of our PCI monitoring?’

The answer to this question is not always as simple as “yes” or “no”, and often falls in the “it depends” category. As a general rule, all servers and devices that are part of the processing, transmission, or storage of card data are subject to PCI compliance.

  1. Let¹s start with processing. This includes all applications that process, store, or transmit card data including, but not limited to, POS systems, e-commerce shopping carts, and any other software that has been designed to touch card data.
  2. Transmission of card data occurs next. This includes all devices involved in getting the card data from the front end processing to storage.Either way, all servers and devices (applications, servers, switches, routers, firewalls…) are part of the transmission.
  3. Storage is the final requirement, but may not be the last step in card data processing.

Also be aware that by using a third-party payment party, you are not automatically excluded from PCI requirements. Although you may not be doing anything with the card data, if you transmit it then PCI requirement still apply. To facilitate your PCI compliance, start by understanding where your payment card data flows for the entire transaction process. All devices involved in the processing, transmission, and storage are subject to PCI compliance.

Think like a hacker … “How could I get data from this app/server/device?”

If you can think of a potential way of getting card data, then it is most likely subject to PCI compliance. If you are still unsure about a server or device because of a special circumstance, or a non-standard payment flow, consult with your PCI auditor. Your PCI auditor will have the final say. It is also easier to get your PCI auditor involved early so that it is done right the first time.

AccelOps’ out-of-the-box PCI business service and PCI compliance suite gives you full stack visibility into the applications, servers, network, and devices that are subject to PCI security, performance, availability, and change compliance.

Want to learn how AccelOps take the pain out of your PCI compliance? If so, contact us. We’re here to help.

Authors

Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone Marta Stone

Try AccelOps FREE for 30 Days

 

Get a Live Product Demo

 

Tags

cloud security big data RSA analytics compliance Q&A PCI DSS HIPAA Sarbanes Oxley (SOX) Target breach

About Accelops

AccelOps provides the leading IT operations analytics platform for the modern data center. The virtual appliance software monitors security, performance and compliance in cloud and virtualized infrastructures – all from a single screen.

 

AccelOps automatically discovers, analyzes and automates IT issues in machine and big data across organizations’ data centers and cloud resources, spanning servers, storage, networks, security, applications and users. AccelOps’ patented analytics engine with cross-correlation and statistical anomaly detection sends real-time alerts when deviations occur that indicate a security or performance-impacting event.

 

The AccelOps platform scales seamlessly and provides unmatched delivery of proactive security and operational intelligence, allowing organizations to be more responsive and competitive as they expand their IT capabilities. 

Keep Social

twitter facebook linkedin