Solved

Please provide some General Comments on PCI-DSS compliance in our environment

Posted on 2010-11-11
1
389 Views
Last Modified: 2012-06-27
I  have some opinions based on our reading of the requirements, but Im looking for some unbiased second opinions.

Weve done things like changing default credentials, implementing firewalls, creating users with unique accounts and passwords, and deploying and monitoring the AV / security centrally. That Im not confused on.  That said...

We have 3 locations connected to main office by an MPLS network. Each of those locations, including the main office has WPA-secured wireless and at LEAST one PC that is joined to the domain, hardwired via a switch into the network, able to access internal file servers and the Internet AND with software loaded and keyed to it that allows it to process credit cards via a USB swipe card reader. These are "sales counter" machines that do "card present" transactions. The Software it runs is USAePay. Other PCs on the network are used to access our gateway providers website for the purpose of doing card present web transactions. The wireless is presently on the same subnet as the rest of the LAN at any given location.

No card data is stored in the business system in a defined form, but as a convenience for our customers some CC names and numbers are placed in an unamed spare text field (Like "notes") and referenced when the customer sends in an order (by our employee then running the card via the web interface mentioned above).

The wireless MUST be kept for warehouse scanner activities, and that wireless network must be connected to the same server where wired PCs access the business system. The sales counter PCs must in addition be able to access both the internal network / biz system AND the CC processor. Stand alone dial up card machines were deemed too slow for use.

So, what concerns do you see, and how are these concerns typically remediated?
0
Comment
Question by:Eric_Price
1 Comment
 
LVL 32

Accepted Solution

by:
aleghart earned 500 total points
ID: 34114413
The card swipe hardware and software can have PCI compliance and absolve you from going any further.

Remove the CC# from your database, and you're OK.

I don't know of a good business reason to store the CC#.  Typing it into a note field then processing it later with another interface become a PCI problem because you're building a workflow (however informal) around storing the CC information.

If you need the number for use in a web GUI, then type it straight into the Virtual Terminal.  That is covered by the provider's PCI compliance certification.

Otherwise, you're in for a roller-coaster ride of self certification that really doesn't need to happen.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
MITM attack on Android phones 8 113
Unknown security group 2 60
Wireless option for Dell Zero client? 4 20
Penetration Testing home based work 3 58
You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
Three simple tips to quickly and efficiently back up and protect the contents of your PC and Mac®.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now