PCI compliance

Hi Experts,

We mainly offer workstation and server support in the UK. The client here has broadband with another supplier, and we supplied the router only. However, now we have been asked a comprehensive questionnaire for PCI compliance (Credit card payments). We are wondering how to respond because it’s fairly involved. Any advice please?

Is there a current network diagram that documents all connections between the cardholder data environment and other networks, including any wireless networks?

Is there a process to ensure the diagram is kept current?

Is a firewall required and implemented at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone?

Is the current network diagram consistent with the firewall configuration standards?

Do firewall and router configuration standards include a documented list of services, protocols, and ports, including business justification and approval for each?

Are all insecure services, protocols, and ports identified, and are security features documented and implemented for each identified service?

Is inbound and outbound traffic restricted to that which is necessary for the cardholder data environment?

Is all other inbound and outbound traffic specifically denied (for example by using an explicit "deny all" or an implicit deny after allow statement)?

Are perimeter firewalls installed between all wireless networks and the cardholder data environment, and are these firewalls configured to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment?

Are anti-spoofing measures implemented to detect and block forged sourced IP addresses from entering the network?
(For example, block traffic originating from the internet with an internal address.)

Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?

Are only established connections permitted into the network

Are only trusted keys and/or certificates accepted?

Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?

Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)?

For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received?
For example, for browser-based implementations:
"HTTPS" appears as the browser Universal Record Locator (URL) protocol, and
Cardholder data is only requested if "HTTPS" appears as part of the URL.

Are industry best practices used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment?

Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies?

Is there a process to identify security vulnerabilities, including the following:
Using reputable outside sources for vulnerability information?
Assigning a risk ranking to vulnerabilities that includes identification of all "high" risk and "critical" vulnerabilities?
Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?

Are critical security patches installed within one month of release?

Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE?

Does penetration testing to verify segmentation controls meet the following?
   Performed at least annually and after any changes to segmentation controls/methods
   Covers all segmentation controls/methods in use
   Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.

Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lucas BishopMarketing TechnologistCommented:
If all you have supplied to a client is a router, I fail to see how you are needing to be PCI compliant?

PCI Compliance is generally a requirement for a business that accepts, processes and stores, sensitive payment information, like credit card data. Is that something you are involved in? Are you managing a system/server that is used for that?
There is too little detail for a fair answer. What type of business is your client?

We mainly offer workstation and server support in the UK. The client here has broadband with another supplier, and we supplied the router only.
Are you supporting their network as well? (When you say router, i am assuming it is also a firewall) Are any of the card readers on the network? (If the card readers utilize telephone lines rather than the network, this is going to make your life far easier)

At a minimum, you are responsible for things involving workstation security. Who their broadband provider is is irrelevant. Who is managing the network and workstations are what matter here.

If ecommerce is at play, who is responsible for the servers and sites?

Looks like there are more parties involved, but you also have a lot more responsibility than you think.

However, without understanding your environment, we can only help so much.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
unrealone1Author Commented:
Hi the client is a dentist practice. They take card payments after seeing patients. We supplied a draytek router , and the server and workstations behind that.
What I have found out is that Draytek can assist with a preliminary check for pci compliance from the router side , so I will speak to them today and post how that goes here,
What is the card reader attached to, a computer or the network? If it is connected to a computer, then you're going to need to be sure that the software that's processing the card is PCI compliant (that addresses quite a bit right there). If connected to the network, then there are some additional things required.

Sounds like you don't have external scans done by an ASV. Might want to look into that, in case that's necessary.
unrealone1Author Commented:
Thanks for the comments I went back to the client and he has agreed to research a  little further himself.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.