What is a private network in terms of PCI DSS?
Just because a network might be ‘private’ in terms of PCI DSS, for example MPLS, IP-VPN, leased line, X.25 et al does NOT mean it is out of scope for PCI DSS.
Being ‘private’ negates ONE control, and that is that you don’t need to encrypt traffic that passes over a ‘private’ network (control 4.1).
ALL other controls still apply!
So if you use an MPLS, IP-VPN, leased line or X.25 provider and decide not to encrypt the data before it hits the provider’s equipment (including customer premise equipment/CPE), then that whole network is in scope for PCI DSS.
Also in scope are the systems that the provider uses to manage that network, as potentially a sysadmin could capture all traffic that passes through it (including your unencrypted card numbers).
It is very rare for a telco to commit to PCI DSS Compliance due to scale and cost, so before you go hammering down their doors and wave a RoC in their faces, seriously consider encrypting sensitive data before it leaves your domain, be this on a ‘private’ or ‘public’ network.
This brings up the question of "Who cares?" According to our QSA, our PCI compliance status does not depend on the compliance status of third parties. The telecom provider is a third-party. And we only get asked about our compliance status.
This is one of the biggest reasons companies don't care about PCI; it attempts to bring the entire world into their circle of responsibility.
And since no company that has been breached has ever been found to be compliant at the time of the breach, and there have been thousands, what does all of the costs associated with PCI return to us? Not much. We're going to get fined anyway and we'll just fight it.
I feel that's a very dangerous comment for your QSA to have made.
Third parties are a HUGE risk to card holder data if not managed properly and I would recommend you conduct a risk assessment of your third party interactions as soon as possible.
It's not uncommon for large retailers to outsource their WAN function, just make sure sensitive data is encrypted prior.
Dangerous or not, it's true. All that's needed is a program to monitor third parties.
PCI compliance does not buy us a thing. If it's not a matter of "if" a company will get breached, it's a question of "when". The statistics prove it. Being breached is de facto proof you were not PCI compliant.
PCI is nothing more than a very expensive insurance policy premium where you have zero chance of collecting on it. That's a bad investment in anybody's world.