Determining the scope of your cardholder data environment, and the Payment Card Industry Data Security Standards (PCI DSS) controls required of your organization can be difficult. The Payment Card Industry Security Standards Council (PCI SSC) describes scoping as “the identification of people, processes, and technologies that interact with or could otherwise impact the security of CHD [cardholder data].” This includes any and all people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data.
The type of Point of Sale (POS) terminal that you utilize in your organization can have an impact on what falls in scope. Here is a list of the different types of POS terminals you could be using, and the ways that each affect the scope of PCI controls you need to have in place.
Ethernet
Point Of Sale terminals connected to an IP network come in many forms, and can drastically affect the scope of a PCI audit. These terminals have the potential to bring the entire network the device resides on (the Cardholder Data Environment, or CDE) into scope. It would also pull any system connected to the CDE, or that impacts the security of the CDE, into scope.
Standalone
There are two types of standalone terminals: IP terminals and dial-up terminals. An IP terminal utilizes a network connection to transmit data from one application to another. Dial-up terminals will use a standard telephone line to transmit data.
If there is no cardholder data stored on the POS device, then dial-up terminals are only subject to a self-assessment questionnaire (SAQ) B review. This is a fairly simple questionnaire completed by the merchant and submitted to their acquiring bank on an annual basis.
IP terminals that are PIN Transaction Security Approved (PTS) are subject to a SAQ B-IP review. In the event that the terminal is not PTS approved, it is subject to the same audit requirements of the POS terminal described above.
Virtual Terminals
Virtual terminals are terminals that are used to enter cardholder data only. These POS devices cannot store any Electronic Cardholder Data. There are two ways that a virtual terminal can be connected. POS terminal operating systems can either connect directly to an externally hosted web server which processes manually entered payments, or through standalone devices that connect directly to the internet and sends cardholder data that is either swiped or manually entered.
Whether your organization is using an externally hosted terminal, or one that is directly connected, both scenarios will require a self-assessment questionnaire to be completed. If cardholder data is being manually entered into the site, you will need to complete a SAQ C-VT. If you are using a standalone machine connected directly to the internet, however, you would need to complete a SAQ C. Due to the terminal accepting the cardholder data physically residing on the merchant network, the SAQ-C questionnaire will be a slightly more involved process, whereas an SAQ C-VT is a simpler questionnaire since data is entered directly into a web site, outside of the merchant’s network.
It is important to understand the ways in which your POS is situated in your network in order for you and your team to be able properly assess its security controls and determine whether you are meeting PCI standards. It is critical that your organization have someone with expert knowledge of the technologies determine the impact of your POS on scope to ensure you are properly protecting your environment.
