Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Please provide some General Comments on PCI-DSS compliance in our environment

Posted on 2010-11-11
1
Medium Priority
?
406 Views
Last Modified: 2012-06-27
I  have some opinions based on our reading of the requirements, but Im looking for some unbiased second opinions.

Weve done things like changing default credentials, implementing firewalls, creating users with unique accounts and passwords, and deploying and monitoring the AV / security centrally. That Im not confused on.  That said...

We have 3 locations connected to main office by an MPLS network. Each of those locations, including the main office has WPA-secured wireless and at LEAST one PC that is joined to the domain, hardwired via a switch into the network, able to access internal file servers and the Internet AND with software loaded and keyed to it that allows it to process credit cards via a USB swipe card reader. These are "sales counter" machines that do "card present" transactions. The Software it runs is USAePay. Other PCs on the network are used to access our gateway providers website for the purpose of doing card present web transactions. The wireless is presently on the same subnet as the rest of the LAN at any given location.

No card data is stored in the business system in a defined form, but as a convenience for our customers some CC names and numbers are placed in an unamed spare text field (Like "notes") and referenced when the customer sends in an order (by our employee then running the card via the web interface mentioned above).

The wireless MUST be kept for warehouse scanner activities, and that wireless network must be connected to the same server where wired PCs access the business system. The sales counter PCs must in addition be able to access both the internal network / biz system AND the CC processor. Stand alone dial up card machines were deemed too slow for use.

So, what concerns do you see, and how are these concerns typically remediated?
0
Comment
Question by:Eric_Price
1 Comment
 
LVL 32

Accepted Solution

by:
aleghart earned 2000 total points
ID: 34114413
The card swipe hardware and software can have PCI compliance and absolve you from going any further.

Remove the CC# from your database, and you're OK.

I don't know of a good business reason to store the CC#.  Typing it into a note field then processing it later with another interface become a PCI problem because you're building a workflow (however informal) around storing the CC information.

If you need the number for use in a web GUI, then type it straight into the Virtual Terminal.  That is covered by the provider's PCI compliance certification.

Otherwise, you're in for a roller-coaster ride of self certification that really doesn't need to happen.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question