Quite right. Additionally, some states (including California) mandate the disclosure of any breach of PII affecting residents of that state, so minimizing your risk exposure also makes sense.
The PCI projects I've been on in the past have all been about narrowing the scope as much as is humanly possible... Regards, Corey Quinn On Sep 22, 2014, at 9:59 AM, Jo Rhett <[email protected]> wrote: > On Sep 15, 2014, at 6:21 AM, Mark McCullough <[email protected]> wrote: >> The PCI-DSS document specifies very explicitly what makes one in scope vs >> out of scope, not only at a system level, but at a network level. If no >> payment card data touches your systems or network, you are not PCI impacted. > > > Not covered under PCI, but you also have to deal with Personally Identifiable > user data. This is a valid reason for an audit. > > -- > Jo Rhett > +1 (415) 999-1798 > Skype: jorhett > Net Consonance : net philanthropy to improve open source and internet > projects. > > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
