David recently asked the PCI DSS Guru about the use of VLANs in a PCI DSS cardholder data environment. Here’s his question:

Are network switches in the Cardholder Data Environment in scope for PCI DSS? We are having trouble with this one. We have a vlan that run campus wide that transmits card data back to our servers. Are all the switches that carry this vlan in scope? If so how can we test changes to this network. We can’t afford another network infrustructure just for PCI. Any guidance you can provide would be great. Also, keep up the good work with your site. Its very helpful to newbs like me.

That’s a great question, David, and it’s the subject of a lot of debate within the PCI DSS community.

(continue reading…)

PCI DSS Requirement 12.3.9 mandates that you allow the “Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use”.  What does this mean in practice?

(continue reading…)