Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Please provide some General Comments on PCI-DSS compliance in our environment

Posted on 2010-11-11
1
Medium Priority
?
405 Views
Last Modified: 2012-06-27
I  have some opinions based on our reading of the requirements, but Im looking for some unbiased second opinions.

Weve done things like changing default credentials, implementing firewalls, creating users with unique accounts and passwords, and deploying and monitoring the AV / security centrally. That Im not confused on.  That said...

We have 3 locations connected to main office by an MPLS network. Each of those locations, including the main office has WPA-secured wireless and at LEAST one PC that is joined to the domain, hardwired via a switch into the network, able to access internal file servers and the Internet AND with software loaded and keyed to it that allows it to process credit cards via a USB swipe card reader. These are "sales counter" machines that do "card present" transactions. The Software it runs is USAePay. Other PCs on the network are used to access our gateway providers website for the purpose of doing card present web transactions. The wireless is presently on the same subnet as the rest of the LAN at any given location.

No card data is stored in the business system in a defined form, but as a convenience for our customers some CC names and numbers are placed in an unamed spare text field (Like "notes") and referenced when the customer sends in an order (by our employee then running the card via the web interface mentioned above).

The wireless MUST be kept for warehouse scanner activities, and that wireless network must be connected to the same server where wired PCs access the business system. The sales counter PCs must in addition be able to access both the internal network / biz system AND the CC processor. Stand alone dial up card machines were deemed too slow for use.

So, what concerns do you see, and how are these concerns typically remediated?
0
Comment
Question by:Eric_Price
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 32

Accepted Solution

by:
aleghart earned 2000 total points
ID: 34114413
The card swipe hardware and software can have PCI compliance and absolve you from going any further.

Remove the CC# from your database, and you're OK.

I don't know of a good business reason to store the CC#.  Typing it into a note field then processing it later with another interface become a PCI problem because you're building a workflow (however informal) around storing the CC information.

If you need the number for use in a web GUI, then type it straight into the Virtual Terminal.  That is covered by the provider's PCI compliance certification.

Otherwise, you're in for a roller-coaster ride of self certification that really doesn't need to happen.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
How does someone stay on the right and legal side of the hacking world?
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question