And this is our first pass at PCI compliance. I've already annotated the lack of virus scans on the mainframe and the Sun boxes... :-) You are right in that the focus of these questions is definitely Windows based. However...

I have the IG office following right behind me. They are checking my work, ensuring that my questions did deep enough and that I don't ignore anything.

I wish we were a smaller organization. I have to tromp though many fiefdoms to get the info. The test say to document how we comply. The normal reply I've been getting back is "yes we comply". I'm glad that some of these questions can be applied enterprise wide, as we have many applications that must be certified PCI compliant. This is just number one.

From what I've been told, if we were to only keep the auth number and iirc last 4 of the PAN, then we would not have to comply with all these standards because we would not have any PCI sensitive data. For some reason HQ decided to keep the full PAN.

/rant