320px-Hyatt_Fisherman's_WharfDan recently asked the PCI DSS Guru about PCI DSS compliance for a hotel that has a restaurant, reservations system and staff computers:

“I have a hotel with 106 computers on the LAN. I am working on a plan for segmentation of the 37 machines that regularly interact with card numbers. These 37 are comprised of restaurant POS that swipe, front desk PCs that swipe, reservations PCs that hand enter card numbers and accounting PCs that hand enter or can access card info. Now we do tokenize all card numbers.

The other 69 computers have the application installed that allow them to view guest reservations and they could potentially enter a card number though there isn’t a clear business reason why they would. If I physically separate the 37 can the 69 still be considered in scope since they have access to the application where card data is entered/tokenized? Did this make any sense?”

This is a very interesting question, Dan, and it took me a few minutes to form my opinion on this.  I was about to say that, yes, you could probably define the scope of your cardholder data environment as the 37 systems that actually process credit cards and then segment them off from the other systems.  You would then have to treat the other 69 systems as remote access systems and provide a secure connection back to the CDE on an as-needed basis.

However, the more I thought about it, the more I questioned whether a QSA would actually accept this approach.  It seems like a solution where you’re trying to engineer a loophole rather than reflect the actual business environment.  If the systems in the non-card-processing offices are running the same software as the POS systems, they should probably be treated the same way.  I am guessing that there is some sort of thick client connection taking place between those systems and the backend application and, in my opinion, this makes them an inseparable part of the cardholder data environment.

If you truly want to segment these systems, I think that you need to break away from the thick client model for them.  For example, you might be able to build a web application that involves no potential cardholder data and then expose that to the 69 staff systems through the CDE firewall (with appropriate security controls around the web application, of course).  As long as you’re continuing to run the POS application on the staff systems, it is my opinion that you should consider them part of the CDE.

I’m sorry that’s probably not the news that you wanted to hear.  I welcome other opinions.  Feel free to chime in with comments!