Other systems connected to the Card Holder data environment

[LEFT][SIZE=2][FONT=Arial]“System components are defined as any network component, server, or application that is included in or connected to the cardholder data environment.”[/FONT][/SIZE][/LEFT]

[LEFT][SIZE=2][FONT=Arial]If we have supporting non-credit card information (reference number, amount, transaction number, etc) passed between a card system and another system using, say IPC, is the other system subject to PABP compliance? This other system does not touch credit card numbers.[/FONT][/SIZE][/LEFT]

[LEFT][SIZE=2][FONT=Arial]What level of separation is required at a DB level? If two applications share a DB, as long as the access control in the non Credit Card application is atleast as good as PCI/PABP requirements, does this non credit card application becomes subject to certification? The sensitive data from the credit card application can be protected using access control.[/FONT][/SIZE][/LEFT]

If any system is on the same network and not separated by adequate security controls (VLAN, firewall, access controls, for example), or if a database is shared then that system / application / environment / people must meet the same PCI DSS rules. What we would look for in an audit would be that any system or application that has, or could have access to the card holder data must meet the same standard unless there are compensating controls in place to limit that access. An access control list might be adequate (mainframe RCAF, for example) or it might not be (Microsoft file permissions on an unpatched system, for example). Since the data in that database must be encrypted then key management might be adequate if it could be demonstrated that the untrusted system could not decrypt the data in some way.