Question

Barry placed all of his organization's credit card processing systems on an isolated network dedicated to card processing. He has implemented appropriate segmentation controls to limit the scope of PCI DSS to those systems through the use of VLANs and firewalls. When Barry goes to conduct vulnerability scans for PCI DSS compliance purposes, what systems must he scan?

A. Customer Systems
B. Systems on the Isolated Network
C. Systems on the General Enterprise Network
D. Both B and C

Answer 1

Barry should scan the Systems on the Isolated Network dedicated to card processing to comply with PCI DSS requirements, as these are the ones directly involved in handling cardholder data.

Step-by-step explanation:

For PCI DSS compliance purposes, when conducting vulnerability scans, Barry must scan the systems on the isolated network dedicated to card processing, as that is where the organization's credit card processing systems are housed. Since he has implemented appropriate segmentation controls like VLANs and firewalls, the scope of PCI DSS is limited to those systems. Therefore, the correct answer is B. Systems on the Isolated Network. There is no need to scan the general enterprise network if it is properly segregated from the cardholder data environment and does not impact the security of the card processing systems.