Question: I have a convenience store which is processed through a satellite connection direct to ExxonMobil. I have a PC connected to the internet which has NO connection to the POS system which processes credit card data. Do I still need to scan?
Answer: Do the PC and POS system sit on the same network? If so, all systems within the cardholder data environment are in-scope for the vulnerability scanning requirements.
It is not clear what is meant by “no connection to the POS system,” but if I had to guess, these systems both reside on the same network segment. Additionally, if this is the case, and the PC is directly connected to the Internet, a firewall must be in place between the PC and the Internet.
Concerning the firewall. Does it need to be an appliance firewall or software firewall installed on the PC or comes with Windows OS?
Does a terminal payment using internet (not dial-up) need to be protected with a firewall as well?
In this case it should be an appliance/hardware firewall since a software or host-based firewall only provides protection for a single system. All systems within the environment need to be protected by a firewall, so a hardware firewall is the best way to accomplish this.