I have a PCI DMZ that transmits all data to processors, it stores some data and then encrypts it with PGP and sends hourly batch reports. My question is, my end users recieve telephone calls, and then enters the data into a database application, that then saves the information and sends encrypted as a batch file to the client. If my users only connect to the database application via SSL, do the PC's and the switches, and routers that they traverse on the way to the secure database need to be part of the PCI environment as well?
If they do and I have other users that take phone orders but no CC information, should they be segmented off so they are not part of the PCI environment?
Hope this makes sense. Thanks in advance.