I'm wondering if anyone has been through a PCI compliance assessment and could share some insight and information with me. I have a specific question, but I also welcome anyone's thoughts about how the assessment went, was it harder or easier to pass than they expected, etc?
My specific question is this: I am working on defining the scope of the PCI environement. The actual cardholder data (CD) will be processed by a POS device on a specific VLAN on a switch; it will travel upstream to our core routers and then be passed onto a processing server. (There will likely be additional upstream devices and processing servers but for now let's just leave it at that.)
From what I have learned, I know that our cardholder data environment (CDE) includes the POS device, the switch it's connected to, the core router, and the processing server. I read that "the scope of PCI" will include the CDE, plus any device or system that directly connects to the CDE. I want to set up a MGMT server somewhere on an isolated VLAN and this server will be the only system that can remotely access the CDE switch (via SSH). I know that this server will be considered "directly connecting" to the switch and so it will be part of the scope of PCI.
Here is my question: If I have another system (my desktop PC) that can remote desktop to the MGMT server, but cannot SSH to the switch directly, can my desktop PC be excluded from the scope of PCI? It seems to me that would be the case because my PC will not connect directly to the cardholder data environment.
Does anyone agree or disagree with this? Thanks in advance for any advice or feedback.