Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
0
Helpful
1
Replies

Looking for thoughts on PCI zoning

Steven Williams
Level 4
Level 4

‎05-29-2015 06:52 AM - edited ‎03-11-2019 11:01 PM

I must start out by saying that NO company should ever try to tackle PCI compliance by themselves without the proper staffing and knowledge.

I am faced with doing this and learning as I go, pretty frustrating.

 

I have a prod and test PCI zone. Both protected by separate firewalls. First off I have scanning machines at the edge of my network that scan in hand written order forms with CC info on it. The PCI vlan extends to these desktop scanners, which I feel is bad but it is what it is. So these users will already be in the Prod PCI zone when they login. Now the app they run needs to be able to access the test PCI zone as well for testing new functions. So originally they wanted to create a VPN tunnel from Prod firewall to Test firewall so the users can just click either prod app icon or test app icon.

I personally fell this is bad since there will be an always on connection from zone to zone and if something gets into test it can spread to prod.

 

My though was to have the users anyconnect to the test pci zone and then launch the test app. disable split tunneling.

Now is there a reason I cannot put both test and prod behind the same firewall and use ACLs to control access?

Labels:
0 Helpful
1 Reply 1

ADAM CRISP
Level 4
Level 4

‎05-29-2015 09:39 AM

Hi Steven,

I think the key point here is that you clear up any confusion around the the concept of your Test PCI zone, and the presence of card data. If your test environment uses real card data then it and it's users sit within your cardholder data environment, just the same as your production system. With this in mind the users, equipment and infrastructure need to be protected to the same level -  with event logging, access control and so on. Although you have split your testing and production systems, since they are both of equal CDE importance, you must be doing this for other administrative or other security reasons which I am sure are worthwhile. However I would have thought you could happily use the same firewall since you have all the logging and other PCI controls you need to keep card data safe. Disclaimer -> This train of thought has come from my own thought process and based on the work I did for PCI at my own place of work, guess you could reach out to your QSA for their input.

Adam

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card