Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 542
  • Last Modified:

Securing Credit Card processing

We use a POS system in our restaurant and it will also do Room charges for our hotel. It sends a room charge via a serial connection to our other Hotel network. the hotel network picks it up and applies the charge to the proper room. Credit Card processing is handled on the Hotel Server. I am trying be sure the processing is secure. Is the serial port connection a threat?
0
ri95
Asked:
ri95
  • 9
  • 5
  • 3
1 Solution
 
rfc1180Commented:
The serial port is not secure unless the software/hardware is performing encryption. That is dependent upon the equipment, but by design there is no encryption.

Billy
0
 
ri95Author Commented:
So an intruder could find his way to the port through the machine which receives it...is that correct? Unless the information is encrypted...I would remain at risk.
Any idea how I should plug that hole?
Thanks for quick response.
0
 
rfc1180Commented:
>So an intruder could find his way to the port through the machine which receives it...is that correct? >Unless the information is encrypted...I would remain at risk.

Well, the only way would be to secure it via the application (Layer 6; the presentation layer) would handle the encryption. Contact the vendor to provide support for encyrption or use a CC Processing machine that is IP and use IPSEC to encrypt it. You also could use hardware cryptors that go inline, but too easy to circumvent, but is an option too. You always use serial to IP converters and then utilize IPSEC to encrypt the data via IP.

Billy
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
kdearingCommented:
PIC requires that all credit card transactions are encrypted.
Magtek has card readers / pin pads that encrypt the data on the device.
0
 
ri95Author Commented:
The information coming on serial port is Room number and name and amounts charged - no credit card info. I am worried about an intruder reaching into the network where credit card info is stored....
0
 
ri95Author Commented:
Billy, then from what you are saying - the serial connection would be ok for two reasons...
1. It does not have cc info, only room number , amounts charged and maybe a name.
2. The CC processing is all compliant and encrypted.

I was worried that an intruder on the other network might make their way back to the separate network where the cc processing info is held.

So
Wan ->Router -> Switch ->Lan and with VPN ->Switch -> Other Lan should be OK

What do you think?
0
 
ri95Author Commented:
The serial goes to Hotel Application - application records it in a database...when the cards are charged - the data is encrypted and goes through IP to Processor.

The POS system uses a separate CC processing software which can go by IP or Modem.
0
 
kdearingCommented:
And of course, for security reasons, any 'guest' internet access should be on a completely separate network
0
 
ri95Author Commented:
Yes,
DSL->VPN Wireless Router (only two people -Boss-& Mgr with MAC Address Filter use this Wireless)->Switch to Hotel Network172.16.1.xxx->AP for Guests 10.10.10.xxx
VPN only way to connect to POS network (on separate switch) 192.168.2.xxx->Wireless AP on same Subnet for Handheld POS unit for use outdoors
Only 5 VPN Connections
One outside Connections to Hotel Network (Acctg PC and Boss PC) using LogMeIn connection
Web Server for Hotel Booking - it connects directly to VPN Router and also connects to Hotel Server for Booking Database access (DCOM)
LogMeIn for Access on this one also.

AV on each computer
One computer to handle Credit Card Transactions - used for nothing else.
I can't determine if I should have it do all cc processing or just the Hotel credit cards. POS uses a different processor...sends via dialup or modem.

Does this sound viable? I need to implement it soon.
0
 
kdearingCommented:
Looks like you have everything under control.

The only thing I would mention is to look into the POS dialup via modem, it's older technology that just slows down the customer interaction.
Check for newer software and/or hardware that uses your existing internet connection; you can always keep the dialup as a backup.
0
 
ri95Author Commented:
Do you think it Will it be PCI compliant?
0
 
kdearingCommented:
Given all the info posted, I would think so.
0
 
ri95Author Commented:
kdearing...thanks for sticking with me. Would you please look at my plan?
NAT-Network-Plan.pdf
0
 
kdearingCommented:
Just a couple of notes:

- For staff wireless; use WPA2, it is more secure

- For guest access; if you're going to use the same internet circuit, make sure the guest network is connected to the DMZ of the firewall to prevent access to the internal network

0
 
ri95Author Commented:
Stuck with me and kept helping me..great techie.
0
 
rfc1180Commented:
Sorry, I have a full-time job, so that is priority; glad you got your question answered
0
 
ri95Author Commented:
Thanks Billy,
You got things rolling....
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 9
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now