Whether you are just starting on the path to PCI compliance, or you are a PCI veteran, the same old question always comes up.
“Does this device need to be part of our PCI monitoring?’
The answer to this question is not always as simple as “yes” or “no”, and often falls in the “it depends” category. As a general rule, all servers and devices that are part of the processing, transmission, or storage of card data are subject to PCI compliance.
Also be aware that by using a third-party payment party, you are not automatically excluded from PCI requirements. Although you may not be doing anything with the card data, if you transmit it then PCI requirement still apply. To facilitate your PCI compliance, start by understanding where your payment card data flows for the entire transaction process. All devices involved in the processing, transmission, and storage are subject to PCI compliance.
Think like a hacker … “How could I get data from this app/server/device?”
If you can think of a potential way of getting card data, then it is most likely subject to PCI compliance. If you are still unsure about a server or device because of a special circumstance, or a non-standard payment flow, consult with your PCI auditor. Your PCI auditor will have the final say. It is also easier to get your PCI auditor involved early so that it is done right the first time.
AccelOps’ out-of-the-box PCI business service and PCI compliance suite gives you full stack visibility into the applications, servers, network, and devices that are subject to PCI security, performance, availability, and change compliance.
Want to learn how AccelOps take the pain out of your PCI compliance? If so, contact us. We’re here to help.