We are attempting to become PCI compliant.
I am looking for some guidanve and experience for requirement 1.3.
1.3 - 'Prohibit direct public access between the internet and any system component in the card holder data environmenty.
We have PCs on the CCD network that wish to access the internet.
For this indirect access is a a firewall running NAT and Stateful packet filtering sufficient to meet the above requirement. or
Do we require to create a DMZ and place a proxy server in there to manage connections to the internet.
What is acceptable to a QSA.
Many thanks
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Your first solution is good and the second solution using the proxy server would be better.
Most companies (ASV) will provide you a free report - you might consider having a licensed ASV do this to see if this is acceptable. However, with you being Level 1, I would consider using the proxy server, along with a WebThreat service to help prevent any unauthorized access (maybe like BlueCoat).
Hi Corey,
Sorry if I was misunderstood, we are level 4 not 1, self assessment with fairly limited kit at each site ( AD server , some PCs and a CCD holding application on a seperate server ).
That is great news if the firewall alone is sufficient, we are planning using the Sonicwall - with IPS service on. Because the upheaval of creating a DMZ and then having something to put in it?? would stretch our IT resource.
The interpretation of what is indirect access, is quite varied. I appreciate DMZ - proxy better, but looking to secure in as cost effective a manner as possible.
Have you seen an ASV approved setup with this config?
Many thanks
They might approve the set-up, most will give you a free report. It matters more on what the ASV can get through (if they can get through) to your closed system.
You might also take a look at the self-assessment questionnaire (completed annually) to help you as well.
If you are in the United States - you have a number of options available to you. Personally, I would stay away from First Data (and its agents). They will charge you an annual PCI compliance fee even if you use another company to help you with PCI compliancy. They say it can be waived, but this is after they charge you and usually they only refer a portion of the fee already accessed.
Business Accounts
Answer for Membership
by: dbhsupportPosted on 2009-06-30 at 00:58:04ID: 24743166
whackamod
sorry for that, not sure how it ended up in documentum, my mistake.
Its more networking compliance standards, nothing to do with web development, thanks for your help can you tell me how to change it.