Solved

Securing Credit Card processing

Posted on 2011-03-14
17
530 Views
Last Modified: 2012-05-11
We use a POS system in our restaurant and it will also do Room charges for our hotel. It sends a room charge via a serial connection to our other Hotel network. the hotel network picks it up and applies the charge to the proper room. Credit Card processing is handled on the Hotel Server. I am trying be sure the processing is secure. Is the serial port connection a threat?
0
Comment
Question by:ri95
  • 9
  • 5
  • 3
17 Comments
 
LVL 24

Expert Comment

by:rfc1180
ID: 35130811
The serial port is not secure unless the software/hardware is performing encryption. That is dependent upon the equipment, but by design there is no encryption.

Billy
0
 

Author Comment

by:ri95
ID: 35130839
So an intruder could find his way to the port through the machine which receives it...is that correct? Unless the information is encrypted...I would remain at risk.
Any idea how I should plug that hole?
Thanks for quick response.
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 35131614
>So an intruder could find his way to the port through the machine which receives it...is that correct? >Unless the information is encrypted...I would remain at risk.

Well, the only way would be to secure it via the application (Layer 6; the presentation layer) would handle the encryption. Contact the vendor to provide support for encyrption or use a CC Processing machine that is IP and use IPSEC to encrypt it. You also could use hardware cryptors that go inline, but too easy to circumvent, but is an option too. You always use serial to IP converters and then utilize IPSEC to encrypt the data via IP.

Billy
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35132090
PIC requires that all credit card transactions are encrypted.
Magtek has card readers / pin pads that encrypt the data on the device.
0
 

Author Comment

by:ri95
ID: 35132852
The information coming on serial port is Room number and name and amounts charged - no credit card info. I am worried about an intruder reaching into the network where credit card info is stored....
0
 

Author Comment

by:ri95
ID: 35132903
Billy, then from what you are saying - the serial connection would be ok for two reasons...
1. It does not have cc info, only room number , amounts charged and maybe a name.
2. The CC processing is all compliant and encrypted.

I was worried that an intruder on the other network might make their way back to the separate network where the cc processing info is held.

So
Wan ->Router -> Switch ->Lan and with VPN ->Switch -> Other Lan should be OK

What do you think?
0
 

Author Comment

by:ri95
ID: 35132929
The serial goes to Hotel Application - application records it in a database...when the cards are charged - the data is encrypted and goes through IP to Processor.

The POS system uses a separate CC processing software which can go by IP or Modem.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35133599
And of course, for security reasons, any 'guest' internet access should be on a completely separate network
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:ri95
ID: 35134251
Yes,
DSL->VPN Wireless Router (only two people -Boss-& Mgr with MAC Address Filter use this Wireless)->Switch to Hotel Network172.16.1.xxx->AP for Guests 10.10.10.xxx
VPN only way to connect to POS network (on separate switch) 192.168.2.xxx->Wireless AP on same Subnet for Handheld POS unit for use outdoors
Only 5 VPN Connections
One outside Connections to Hotel Network (Acctg PC and Boss PC) using LogMeIn connection
Web Server for Hotel Booking - it connects directly to VPN Router and also connects to Hotel Server for Booking Database access (DCOM)
LogMeIn for Access on this one also.

AV on each computer
One computer to handle Credit Card Transactions - used for nothing else.
I can't determine if I should have it do all cc processing or just the Hotel credit cards. POS uses a different processor...sends via dialup or modem.

Does this sound viable? I need to implement it soon.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35134629
Looks like you have everything under control.

The only thing I would mention is to look into the POS dialup via modem, it's older technology that just slows down the customer interaction.
Check for newer software and/or hardware that uses your existing internet connection; you can always keep the dialup as a backup.
0
 

Author Comment

by:ri95
ID: 35134736
Do you think it Will it be PCI compliant?
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35136994
Given all the info posted, I would think so.
0
 

Author Comment

by:ri95
ID: 35137668
kdearing...thanks for sticking with me. Would you please look at my plan?
NAT-Network-Plan.pdf
0
 
LVL 13

Accepted Solution

by:
kdearing earned 500 total points
ID: 35138392
Just a couple of notes:

- For staff wireless; use WPA2, it is more secure

- For guest access; if you're going to use the same internet circuit, make sure the guest network is connected to the DMZ of the firewall to prevent access to the internal network

0
 

Author Closing Comment

by:ri95
ID: 35139317
Stuck with me and kept helping me..great techie.
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 35144761
Sorry, I have a full-time job, so that is priority; glad you got your question answered
0
 

Author Comment

by:ri95
ID: 35146942
Thanks Billy,
You got things rolling....
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now