Find Resources and Connect with members on topics that interest you.

Applications

Audit

Business Processes

Career Management

Cloud Computing/Virtualization

COBIT

Controls and Monitoring

Country

Databases

Exam Communities

Fraud and Computer Crime

Governance and Management

Industry

Information Security

IT Service Management

Mobile/Wireless

Operating Systems

Privacy/Data Protection

Regulations

Risk

Standards

Access Control

Application Controls

Application Security

Audit Guidelines

Audit Standards

Audit Tools and Techniques

Basel

Big Data

Business Analytics/Intelligence

Business Continuity-Disaster Recovery Planning

Business Process Management

Career Management

Casinos and Gambling

CGEIT Exam Study Community 2013

Change Management

CISA Exam Study Community 2013

CISM Exam Study Community 2013

Cloud Computing

COBIT (4.1 and earlier) - Use it Effectively

COBIT (4.1 and earlier) Implementation

COBIT 5 - Implementation

COBIT 5 - Use It Effectively

Compliance

Computer Crime

Continuous Monitoring/Auditing

Controls Monitoring

CRISC Exam Study Community 2013

CyberSecurity

Enterprise Architecture

Enterprise Data Management

Financial Reporting Compliance

Forensics

Frameworks

Fraud

Governance of Enterprise IT

Green IT

Healthcare

HIPAA

HP Non-Stop (Tandem)

Identity Management

IFRS

Incident Management

India

Information Security Management

Information Security Policies/Procedures

Intrusion Prevention/Detection

ISAE 3402

ISO/IEC 20000

ISO/IEC 27000 Series

ISO/IEC 38500

ITIL

J-SOX

Mobile Computing

Network Security

Oracle

Oracle Database

Oracle E-Business Suite

OS/400

PCI DSS

PeopleSoft

Performance Measurement

Physical Security

Privacy/Data Protection

Project/Program/Portfolio Management (P3M)

Quality Standards

Risk Assessment

Risk Management

SAP

Sarbanes-Oxley (SOX)

Security Tools

Security Trends

Service Management

SharePoint

Solvency II

SQL Server

Strategic Planning/Alignment

Students

Unix-like

Value Delivery

Virtualization

Windows

Wireless

XBRL

Young Professionals

z/OS-OS/390

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

ME - Monitor and Evaluate

Application Controls

Process Controls

Please sign in to see your topics.

Subscribe to this discussion

Defining the Cardholder Data Environment

"Area of computer system network that possesses cardholder data or sensitive authentication data and those systems and segments that directly attach or support cardholder processing, storage, or transmission. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment and thus the scope of the PCI assessment"

I have a key problem in my knowledge base. My background in IT is based on software development, not on networking/hardware. In trying to catagorize environments I am having a bit of trouble.

Our primary system is SalesForce. We do not store any cardholder data (based on the formal definition provided by the PCI) in SalesForce. Also, we use a PayPal provided plug-in on our web sites to manage payment processing. We only store confirmation numbers returned by PayPal. 

However, where I get confused is on the "process, or transmit" part. Again, we do not process payments, but we do "transmit" encrypted data to PayPal. PayPal manages all of the processing. But, where do we draw the line on the "transmit" part? If we use a third party application that sends the data direclty to PayPal from our web sites, are our web sites still considered part of the "card holder environment"?

 
Posted by rlmoore on October 6, 2011 11:14AM
You must sign in to rate content.
(Unrated)

Comments

There are no comments yet for this post.

Leave a Comment

* required

You must login to leave a comment.

« Return to All Discussions « Return to Topic