Re: your last paragraph, probably because two things... they're selling local services, and the fraud rate for physical merchandise / cart not present transactions is much higher than for services definitively tied to an address. Stolen cards are used all the time to buy laptops from online vendors, local services like WISPs, not so much. There's also much less possibility for a chargeback from a disgruntled customer if you have a properly written service agreement which people sign off on when the install happens.
On Thu, Oct 29, 2015 at 5:47 AM, Paul Stewart <p...@paulstewart.org> wrote: > You cannot store the credit card data in clear text at all – it has to be > in some form of encryption (which can be reversible for internal re-usage). > > > > There are different levels to PCI compliance .. all of them are a PITA > > > > Someone mentioned the $1k/annual McAfee option – that’s a really cheap > option but I would talk with the folks involved on the customer side to see > if it’s worth it .. if all of this is over $20/month I’d pay the monthly > fee (if in fact they are going to charge it) and leave the situation alone > > > > I know of a few companies that should be “level 1” on PCI compliance due > to their volume and have managed to avoid any sort of PCI compliance > requirements – mainly because of very limited chargebacks, very limited > fraud issues etc. As soon as one or both of those issues start to break a > certain percentage of overall sales (usually 2% I’ve heard) then you start > to “get on the radar”. > > > > *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Eric Kuhnke > *Sent:* Wednesday, October 28, 2015 5:48 PM > *To:* af@afmug.com > *Subject:* Re: [AFMUG] PCI compliance and managed router > > > > traffic between their credit card terminal and the processor should be > end-to-end encrypted. Audits of their network equipment would be required > for PCI compliance *if* they were storing card info in plaintext anywhere > on their LAN, which they are not. > > > > On Wed, Oct 28, 2015 at 11:54 AM, Ken Hohhof <af...@kwisp.com> wrote: > > I have always heard of PCI compliance in terms of a business like a gas > station where customers swipe cards at the pumps. > > But I have a customer with a credit card reader terminal in their office > that is making this big fuss because they annually do a PCI audit > apparently to avoid a $20/month fee from their credit card processor. > Maybe I don't even realize we pay that, there is some $200/year PCI > compliance fee we pay. > > Anyway, this is not where some auditors show up, but rather a cloud based > scan they run from one of their computers until they pass, then they print > out the report and send it in. > > And apparently the customer decided to have us replace Frontier and then > do their annual scan the next day. They claim they passed every year > previous, hard to believe the Frontier modem they were using as their > router having username/password set to admin/admin was not an issue. Their > first complaint to us was their WiFi password was not complex enough. > Well, we just set it to what you were already using. Then they had some > complaint about DNS. > > Now they are saying they have to report that we manage the router > remotely, and that may be a problem. Is it? We close off everything but > Winbox. It seems a lot more secure to me than having a web interface with > admin/admin. I told the customer they are welcome to supply and manage > their own router, but if they get a leased, managed router from us, well > ... we manage it. Remotely. > > Has anyone dealt with this issue already? > > >
