Question: I have a convenience store which is processed through a satellite connection direct to ExxonMobil. I have a PC connected to the internet which has NO connection to the POS system which processes credit card data. Do I still need to scan?
Answer: Do the PC and POS system sit on the same network? If so, all systems within the cardholder data environment are in-scope for the vulnerability scanning requirements.
It is not clear what is meant by “no connection to the POS system,” but if I had to guess, these systems both reside on the same network segment. Additionally, if this is the case, and the PC is directly connected to the Internet, a firewall must be in place between the PC and the Internet.
2 thoughts on ““I have a convenience store which is processed through a satellite connection…””
Concerning the firewall. Does it need to be an appliance firewall or software firewall installed on the PC or comes with Windows OS?
Does a terminal payment using internet (not dial-up) need to be protected with a firewall as well?
In this case it should be an appliance/hardware firewall since a software or host-based firewall only provides protection for a single system. All systems within the environment need to be protected by a firewall, so a hardware firewall is the best way to accomplish this.