Just because a network might be ‘private' in terms of PCI DSS, for example MPLS, IP-VPN, leased line, X.25 et al does NOT mean it is out of scope for PCI DSS.

Being ‘private' negates ONE control, and that is that you don't need to encrypt traffic that passes over a ‘private' network (control 4.1).

ALL other controls still apply!

So if you use an MPLS, IP-VPN, leased line or X.25 provider and decide not to encrypt the data before it hits the provider's equipment (including customer premise equipment/CPE), then that whole network is in scope for PCI DSS.

Also in scope are the systems that the provider uses to manage that network, as potentially a sysadmin could capture all traffic that passes through it (including your unencrypted card numbers).

It is very rare for a telco to commit to PCI DSS Compliance due to scale and cost, so before you go hammering down their doors and wave a RoC in their faces, seriously consider encrypting sensitive data before it leaves your domain, be this on a ‘private' or ‘public' network.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top