Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I have a networked product that we install on customer networks. The device is d

ID: 659361 • Letter: I

Question

I have a networked product that we install on customer networks. The device is does not pass any of the CC data, but only sits on the same network (think Nest or Dropcam). The customer networks sometimes include a POS device. We never receive, process, or even see any credit card information. However, since our customer is PCI compliant they want us to be PCI compliant as well.

1) Does PCI compliance require that all of your vendors (i.e me) to also be PCI compliant?

2) All the info and questionnaires I've found are specifically aimed at organizations that actually store or process payment data. Is there a self assessment for situations where I don't transmit any credit card data, but just sit on the same network as POS?

3) If, as this question suggests, I am already PCI Compliant, can I get something that certifies that I don't process any credit card data and am PCI compliant? Note that I don't think I am PCI compliant just because I don't store PAN. The customer would be in trouble if I exposed a security hole into their network (which I don't, but have no piece of 'certification' saying so).

Explanation / Answer

As your system is within the same network as the client systems which may handle cardholder data, your system can be included within the scope of the customer's compliance. In this regard you can be considered a connected system. From the scoping page of the PCI DSS: The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment.

It sounds like your system component is within or connected to the cardholder data environment (i.e. the environment within which the POS or other device handling cardholder data is situated).

It sounds like the client should either segment your device at a network level to remove it from the cardholder data environment or include your device with their scope of their compliance. To do this, you should provide the client instructions on how to situate and maintain your device in a secure manner.

As you can log on remotely to your device, you could attack the customer's network internally. Is the Linux device hardened, is it kept up to date, is logging enabled, what user management is in place, is IP tables configured? Does remote access require two-factor authentication? Each of these are questions which a QSA will pose in regards to the security of, and potential threat/vulnerability posed by the device.

Related Questions

I have a list of candidate proteins as the result of my analysis. I am now tryin
Question #31230
I have a list of events which is always sorted chronologically. The start time i
Question #647831
I have a list of n items. I need to find the items that will be present in a giv
Question #647615
I have a list of users, with minions, something like this: User52: minion10 mini
Question #646216
I have a list that looks like this separate=[[\'I\',\'wnet\',\'to\',\'the\',\'ma
Question #3539440
I have a list/array containing multiple lists/arrays and I want to get a list/ar
Question #3586746
I have a litle bit of an idea here, but I\'m having a problem with this one. I\'
Question #3545939
I have a little problem. I\'m writing a resource loading and caching system, in
Question #642712

Navigate

Previous
I have a multithreaded application and I assign a unique name to each thread thr
Next
I have a new MAC OS X, and Im trying to reinstall the whole system, but when it’

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.