Solved

Please provide some General Comments on PCI-DSS compliance in our environment

Posted on 2010-11-11
1
386 Views
Last Modified: 2012-06-27
I  have some opinions based on our reading of the requirements, but Im looking for some unbiased second opinions.

Weve done things like changing default credentials, implementing firewalls, creating users with unique accounts and passwords, and deploying and monitoring the AV / security centrally. That Im not confused on.  That said...

We have 3 locations connected to main office by an MPLS network. Each of those locations, including the main office has WPA-secured wireless and at LEAST one PC that is joined to the domain, hardwired via a switch into the network, able to access internal file servers and the Internet AND with software loaded and keyed to it that allows it to process credit cards via a USB swipe card reader. These are "sales counter" machines that do "card present" transactions. The Software it runs is USAePay. Other PCs on the network are used to access our gateway providers website for the purpose of doing card present web transactions. The wireless is presently on the same subnet as the rest of the LAN at any given location.

No card data is stored in the business system in a defined form, but as a convenience for our customers some CC names and numbers are placed in an unamed spare text field (Like "notes") and referenced when the customer sends in an order (by our employee then running the card via the web interface mentioned above).

The wireless MUST be kept for warehouse scanner activities, and that wireless network must be connected to the same server where wired PCs access the business system. The sales counter PCs must in addition be able to access both the internal network / biz system AND the CC processor. Stand alone dial up card machines were deemed too slow for use.

So, what concerns do you see, and how are these concerns typically remediated?
0
Comment
Question by:Eric_Price
1 Comment
 
LVL 32

Accepted Solution

by:
aleghart earned 500 total points
ID: 34114413
The card swipe hardware and software can have PCI compliance and absolve you from going any further.

Remove the CC# from your database, and you're OK.

I don't know of a good business reason to store the CC#.  Typing it into a note field then processing it later with another interface become a PCI problem because you're building a workflow (however informal) around storing the CC information.

If you need the number for use in a web GUI, then type it straight into the Virtual Terminal.  That is covered by the provider's PCI compliance certification.

Otherwise, you're in for a roller-coaster ride of self certification that really doesn't need to happen.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now