Verifone Omni 5750 help

PCI-DSS compliance for business with only swipe terminals

The cardholder data environment is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data.

Therefore, storage of card data is not required to put you in scope; transmission is sufficient. Your terminals will be transmitting cardholder data, and so are "in scope" for PCI requirements.

Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entity’s network is not a PCI DSS requirement. However, it is strongly recommended as a method that may reduce:

  • The scope of the PCI DSS assessment
  • The cost of the PCI DSS assessment
  • The cost and difficulty of implementing and maintaining PCI DSS controls
  • The risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations)

In other words, any system connected to the network with processing terminals on it is "in scope", and will have to be scanned and audited as well. You only have to segment it if you don't want to attest that it's up to PCI security snuff every year! (That being said, it's probably cheaper and easier for you to segment it than to subject everything on your network to PCI requirements).

The PCI DSS Self-Assessment Questionnaire outlines the different types of businesses and what their broad requirements are. Based on your description, you're SAQ "C", outlined on page 11. I've quoted part of it below and highlighted the bullet stating that, yes, they want you to segment your network:

Source: security.stackexchange.com March 7, 2017 – 07:56

Related Posts

Verifone VX520 API

Verifone OMNI 3200 Manual

Verifone OMNI 5100

Verifone Omni 5750 paper

Verifone Office in Queens