Defining the Cardholder Data Environment
"Area of computer system network that possesses cardholder data or sensitive authentication data and those systems and segments that directly attach or support cardholder processing, storage, or transmission. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment and thus the scope of the PCI assessment"
I have a key problem in my knowledge base. My background in IT is based on software development, not on networking/hardware. In trying to catagorize environments I am having a bit of trouble.
Our primary system is SalesForce. We do not store any cardholder data (based on the formal definition provided by the PCI) in SalesForce. Also, we use a PayPal provided plug-in on our web sites to manage payment processing. We only store confirmation numbers returned by PayPal.
However, where I get confused is on the "process, or transmit" part. Again, we do not process payments, but we do "transmit" encrypted data to PayPal. PayPal manages all of the processing. But, where do we draw the line on the "transmit" part? If we use a third party application that sends the data direclty to PayPal from our web sites, are our web sites still considered part of the "card holder environment"?
You must sign in to rate content.
You must login to leave a comment.