I am currently going through a PCI compliance project and found one business process that has turned into a difficult situation to resolve.
We have private dining events with large clients that may reserve several of our locations and other fine dining establishments. The central client responsible for coordinating everything generates single user credit card numbers for each location and (from what I'm told) emails those CC numbers to our corporate location and/or each individual location for payment processing.
Anyone familiar with PCI will know why this is a major issue in itself, but the business is not willing to change their business processes because the client has informed us they do this same process with every other fine dining establishment without issue. This is hard to understand as all of these other establishments fall under the same if not more strict PCI regulations.
Right now we're comtemplating building a completely seperate AD/Exchange environment for just the people involved with that business process that will have all drive volumes encrypted, seperate internet connection, firewall, etc with their only access being via webmail.
Needless to say, our auditors have been less then helpful with other solutions, and I'm definitely not in favor of maintaining a seperate environment for this purpose. Does anyone that has dealt with PCI requirements have any suggestions or experiences with this type of senario? Ideas? Solutions?
Any assistance would be aprecciated.