I am working for a financial services organization.
The approach that we have taken is to generally move from PANs to Tokens in most of our internal systems. For this purpose we have implemented a 3rd party Token Management solution and we are gradually replacing any use of PAN with Token.
However, we still have a limited number of systems where the use of Cardholder Data is inevitable, hence we are certifying those systems (only) as PCI “zones”.
My question relates to the scope of PCI-DSS certification for this limited number of “zones” containing cardholder data:
Shall we fully certify any of the peripheral systems that are somehow “serving” any of the specific systems in question?
For example –
one of our Systems containing cardholder data that we are certifying for PCI , is the Fraud Detection System, which is a PA-DSS certified 3rd party system. However – this system naturally receives services from systems such as – Active Directory / LDAP, Storage (e.g. EMC, Hitachi), Network appliances, DNS, Anti Virus, Firewalls, VMware etc. So - what does it mean as far as the scope of the required PCI certification for the Fraud Detection system? What can be the way to determine the scope for the certification which excludes those peripheral systems from the “zone” that needs certification?
We have chosen the Tokenization approach (and have made huge investments for moving from PANs to Tokens) so that only specific “zones” would remain under the need of PCI certification.
Any advise here… ?
Thanks & Regards,