traffic between their credit card terminal and the processor should be end-to-end encrypted. Audits of their network equipment would be required for PCI compliance *if* they were storing card info in plaintext anywhere on their LAN, which they are not.
On Wed, Oct 28, 2015 at 11:54 AM, Ken Hohhof <af...@kwisp.com> wrote: > I have always heard of PCI compliance in terms of a business like a gas > station where customers swipe cards at the pumps. > > But I have a customer with a credit card reader terminal in their office > that is making this big fuss because they annually do a PCI audit > apparently to avoid a $20/month fee from their credit card processor. > Maybe I don't even realize we pay that, there is some $200/year PCI > compliance fee we pay. > > Anyway, this is not where some auditors show up, but rather a cloud based > scan they run from one of their computers until they pass, then they print > out the report and send it in. > > And apparently the customer decided to have us replace Frontier and then > do their annual scan the next day. They claim they passed every year > previous, hard to believe the Frontier modem they were using as their > router having username/password set to admin/admin was not an issue. Their > first complaint to us was their WiFi password was not complex enough. > Well, we just set it to what you were already using. Then they had some > complaint about DNS. > > Now they are saying they have to report that we manage the router > remotely, and that may be a problem. Is it? We close off everything but > Winbox. It seems a lot more secure to me than having a web interface with > admin/admin. I told the customer they are welcome to supply and manage > their own router, but if they get a leased, managed router from us, well > ... we manage it. Remotely. > > Has anyone dealt with this issue already? > >