Re: [OFF] PCI/DSS compliance
FREEZE your credit at all credit reporting agencies! > On Sep 8, 2017, at 4:23 PM,Chip Scheide wrote: > >> I find the idea that it is necessary to implement PCI ironic, when >> Equifax just lost the SS numbers, and other personal data of over >> 140,000,000 people. > > I checked the website they published and it says my information was > stolen. So now I have to wait until 9/12/17 and then go back to the > website and enroll in their free identity theft coverage. > > The company that reports how good your credit is will now be the one > that destroys your credit rating. And there’s nothing you can do > about it. Isn’t this nice. > > Tim > > > Tim Nevels > Innovative Solutions > 785-749-3444 > timnev...@mac.com > > > ** > 4D Internet Users Group (4D iNUG) > FAQ: http://lists.4d.com/faqnug.html > Archive: http://lists.4d.com/archives.html > Options: http://lists.4d.com/mailman/options/4d_tech > Unsub: mailto:4d_tech-unsubscr...@lists.4d.com > ** Hell is other people Jean-Paul Sartre ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
Re: [OFF] PCI/DSS compliance
Consumer Reports says, "A massive data breach at Equifax compromised sensitive data for nearly half of all U.S. consumers — including names, social security numbers, birth dates, addresses, and the numbers of some driver's licenses. Hundreds of thousands of credit card numbers were also compromised. Now millions of Americans could be at risk for identity theft. To make matters worse, Equifax responded by sending consumers to a website where, by signing up for credit monitoring services, they could waive their legal rights to ever take Equifax to court, for any problem.” Paul Ringsmuth > On Sep 8, 2017, at 7:51 PM, Tim Nevels via 4D_Tech <4d_tech@lists.4d.com> > wrote: > > On Sep 8, 2017, at 4:23 PM,Chip Scheide wrote: > >> I find the idea that it is necessary to implement PCI ironic, when >> Equifax just lost the SS numbers, and other personal data of over >> 140,000,000 people. > > I checked the website they published and it says my information was stolen. > So now I have to wait until 9/12/17 and then go back to the website and > enroll in their free identity theft coverage. > > The company that reports how good your credit is will now be the one that > destroys your credit rating. And there’s nothing you can do about it. Isn’t > this nice. > > Tim > > > Tim Nevels > Innovative Solutions > 785-749-3444 > timnev...@mac.com > > > ** > 4D Internet Users Group (4D iNUG) > FAQ: http://lists.4d.com/faqnug.html > Archive: http://lists.4d.com/archives.html > Options: http://lists.4d.com/mailman/options/4d_tech > Unsub: mailto:4d_tech-unsubscr...@lists.4d.com > ** ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
Re: [OFF] PCI/DSS compliance
Experian did this as well (on a smaller scale) a few years ago. Same response, "sorry about that, we will give you a year of free credit monitoring". When I looked into what they asked for to sign up for "free" credit monitoring, it just looked like another opportunity to have my data hacked from another company. Instead I just froze my credit. The irony is that I had to pay Experian plus the other two big credit companies $10 each to do that. What's wrong with this picture? John DeSoi, Ph.D. https://www.t-mobile.com/landing/experian-data-breach-faq.html > On Sep 8, 2017, at 2:12 PM, Chip Scheide via 4D_Tech <4d_tech@lists.4d.com> > wrote: > > I find the idea that it is necessary to implement PCI ironic, when > Equifax just lost the SS numbers, and other personal data of over > 140,000,000 people. ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
Re: [OFF] PCI/DSS compliance
On Sep 8, 2017, at 4:23 PM,Balinder Walia wrote: > ...and Equifax data breach included credit card numbers too. The credit card companies will have to eat all of this. At least in America, if you report your credit card has been stolen, they will remove any bogus charges. It is a pain-in-the-ass and wastes your time, but in the end you will not be out any money. (Speaking from experience. I had my wallet stolen in Rome earlier this year and had to go though all of the mess of canceling and getting new cards. No money lost, but a lot of inconvenience and phone calls to clear it all up.) Tim Tim Nevels Innovative Solutions 785-749-3444 timnev...@mac.com ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
Re: [OFF] PCI/DSS compliance
On Sep 8, 2017, at 4:23 PM,Chip Scheide wrote: > I find the idea that it is necessary to implement PCI ironic, when > Equifax just lost the SS numbers, and other personal data of over > 140,000,000 people. I checked the website they published and it says my information was stolen. So now I have to wait until 9/12/17 and then go back to the website and enroll in their free identity theft coverage. The company that reports how good your credit is will now be the one that destroys your credit rating. And there’s nothing you can do about it. Isn’t this nice. Tim Tim Nevels Innovative Solutions 785-749-3444 timnev...@mac.com ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
Re: [OFF] PCI/DSS compliance
Compliance consisted of answering an online questionnaire and passing the scan. Not storing customer credit card information made a big difference in lowering the "level" of security that we had to meet (Equifax level). It made the questionnaire part much easier to pass. Our cable modem sends all traffic to the AirPort, which has the outside IP address on the WAN port. It forwards the VPN packets to the macOS Server which has the VPN service turned on.I rechecked and there is no forwarding of the credit card machine ports. It seems the presence of the VPN was the trick. Keith - CDI > On Sep 8, 2017, at 1:38 PM, Kirk Brooks via 4D_Tech <4d_tech@lists.4d.com> > wrote: > > Hi Keith, > I'm just getting back around to this - I like the idea of a VPN. I have > three locations I need to accomodate and have to admit I haven't done > anything with a VPN so if you'll allow me to ask some pretty naive > questions: > > Did you set up the VPN just within the router or get an actual VPN service > to connect to? > > I actually wanted to get some DSL lines but at a couple of locations ATT > won't even install copper lines anymore. > > Were you involved in the overall certification PCI certification process? > I'm wondering about stuff like the internal paper handling aspects of the > deal. Any insight is welcome. > > Thanks much! > > > On Thu, Sep 7, 2017 at 1:51 PM, Keith Culotta via 4D_Tech < > 4d_tech@lists.4d.com> wrote: > >> Kirk, >> >> I can't say that I understand the nuances of the system to the point of >> having any details to contribute, but after lots of trying to figure it out >> the thing that finally allowed us to pass the scan was to use a VPN. We >> open only the VPN ports and the ports required by the credit card machines. >> We use the Apple Server's VPN and an AirPort Extreme. >> >> I did not think to ask the compliance people if I could register the >> standard 4D ports with them so that having those ports open would not >> trigger a violation. On the other hand, I think I read that credit card >> machines are supposed to be on a separate network anyway. A low speed DSL >> would work. >> >> Keith - CDI >> >>> On Sep 7, 2017, at 2:46 PM, Kirk Brooks via 4D_Tech < >> 4d_tech@lists.4d.com> wrote: >>> >>> If anyone has experience with successfully completing a PCI/DSS audit and >>> certification for your network, not just the 4D part, I would really >>> appreciate talking with you. Ping me off line. >>> >>> Thanks >>> >>> -- >>> Kirk Brooks >>> San Francisco, CA >>> === >>> >>> *The only thing necessary for the triumph of evil is for good men to do >>> nothing.* >>> >>> *- Edmund Burke* >>> ** >>> 4D Internet Users Group (4D iNUG) >>> FAQ: http://lists.4d.com/faqnug.html >>> Archive: http://lists.4d.com/archives.html >>> Options: http://lists.4d.com/mailman/options/4d_tech >>> Unsub: mailto:4d_tech-unsubscr...@lists.4d.com >>> ** >> >> ** >> 4D Internet Users Group (4D iNUG) >> FAQ: http://lists.4d.com/faqnug.html >> Archive: http://lists.4d.com/archives.html >> Options: http://lists.4d.com/mailman/options/4d_tech >> Unsub: mailto:4d_tech-unsubscr...@lists.4d.com >> ** >> > > > > -- > Kirk Brooks > San Francisco, CA > === > > *The only thing necessary for the triumph of evil is for good men to do > nothing.* > > *- Edmund Burke* > ** > 4D Internet Users Group (4D iNUG) > FAQ: http://lists.4d.com/faqnug.html > Archive: http://lists.4d.com/archives.html > Options: http://lists.4d.com/mailman/options/4d_tech > Unsub: mailto:4d_tech-unsubscr...@lists.4d.com > ** ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
Re: [OFF] PCI/DSS compliance
Guess they weren’t PCI compliant… PCI compliance is a huge pain. I highly recommend taking the route of not doing charges in house. It avoids most of the issues. Sannyasin Siddhanathaswami On Sep 8, 2017, 9:17 AM -1000, wrote: I find the idea that it is necessary to implement PCI ironic, when Equifax just lost the SS numbers, and other personal data of over 140,000,000 people. ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
Re: [OFF] PCI/DSS compliance
...and Equifax data breach included credit card numbers too. On Fri, 8 Sep 2017 at 20:17, Chip Scheide via 4D_Tech <4d_tech@lists.4d.com> wrote: > I find the idea that it is necessary to implement PCI ironic, when > Equifax just lost the SS numbers, and other personal data of over > 140,000,000 people. > > > On Fri, 8 Sep 2017 11:38:38 -0700, Kirk Brooks via 4D_Tech wrote: > > Hi Keith, > > I'm just getting back around to this - I like the idea of a VPN. I have > > three locations I need to accomodate and have to admit I haven't done > > anything with a VPN so if you'll allow me to ask some pretty naive > > questions: > > > > Did you set up the VPN just within the router or get an actual VPN > service > > to connect to? > > > > I actually wanted to get some DSL lines but at a couple of locations ATT > > won't even install copper lines anymore. > > > > Were you involved in the overall certification PCI certification > process? > > I'm wondering about stuff like the internal paper handling aspects of the > > deal. Any insight is welcome. > > > > Thanks much! > > > > > > On Thu, Sep 7, 2017 at 1:51 PM, Keith Culotta via 4D_Tech < > > 4d_tech@lists.4d.com> wrote: > > > >> Kirk, > >> > >> I can't say that I understand the nuances of the system to the point of > >> having any details to contribute, but after lots of trying to figure it > out > >> the thing that finally allowed us to pass the scan was to use a VPN. We > >> open only the VPN ports and the ports required by the credit card > machines. > >> We use the Apple Server's VPN and an AirPort Extreme. > >> > >> I did not think to ask the compliance people if I could register the > >> standard 4D ports with them so that having those ports open would not > >> trigger a violation. On the other hand, I think I read that credit card > >> machines are supposed to be on a separate network anyway. A low speed > DSL > >> would work. > >> > >> Keith - CDI > >> > >>> On Sep 7, 2017, at 2:46 PM, Kirk Brooks via 4D_Tech < > >> 4d_tech@lists.4d.com> wrote: > >>> > >>> If anyone has experience with successfully completing a PCI/DSS audit > and > >>> certification for your network, not just the 4D part, I would really > >>> appreciate talking with you. Ping me off line. > >>> > >>> Thanks > >>> > >>> -- > >>> Kirk Brooks > >>> San Francisco, CA > >>> === > >>> > >>> *The only thing necessary for the triumph of evil is for good men to do > >>> nothing.* > >>> > >>> *- Edmund Burke* > >>> ** > >>> 4D Internet Users Group (4D iNUG) > >>> FAQ: http://lists.4d.com/faqnug.html > >>> Archive: http://lists.4d.com/archives.html > >>> Options: http://lists.4d.com/mailman/options/4d_tech > >>> Unsub: mailto:4d_tech-unsubscr...@lists.4d.com > >>> ** > >> > >> ** > >> 4D Internet Users Group (4D iNUG) > >> FAQ: http://lists.4d.com/faqnug.html > >> Archive: http://lists.4d.com/archives.html > >> Options: http://lists.4d.com/mailman/options/4d_tech > >> Unsub: mailto:4d_tech-unsubscr...@lists.4d.com > >> ** > >> > > > > > > > > -- > > Kirk Brooks > > San Francisco, CA > > === > > > > *The only thing necessary for the triumph of evil is for good men to do > > nothing.* > > > > *- Edmund Burke* > > ** > > 4D Internet Users Group (4D iNUG) > > FAQ: http://lists.4d.com/faqnug.html > > Archive: http://lists.4d.com/archives.html > > Options: http://lists.4d.com/mailman/options/4d_tech > > Unsub: mailto:4d_tech-unsubscr...@lists.4d.com > > ** > --- > Gas is for washing parts > Alcohol is for drinkin' > Nitromethane is for racing > ** > 4D Internet Users Group (4D iNUG) > FAQ: http://lists.4d.com/faqnug.html > Archive: http://lists.4d.com/archives.html > Options: http://lists.4d.com/mailman/options/4d_tech > Unsub: mailto:4d_tech-unsubscr...@lists.4d.com > ** ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
Re: [OFF] PCI/DSS compliance
I find the idea that it is necessary to implement PCI ironic, when Equifax just lost the SS numbers, and other personal data of over 140,000,000 people. On Fri, 8 Sep 2017 11:38:38 -0700, Kirk Brooks via 4D_Tech wrote: > Hi Keith, > I'm just getting back around to this - I like the idea of a VPN. I have > three locations I need to accomodate and have to admit I haven't done > anything with a VPN so if you'll allow me to ask some pretty naive > questions: > > Did you set up the VPN just within the router or get an actual VPN service > to connect to? > > I actually wanted to get some DSL lines but at a couple of locations ATT > won't even install copper lines anymore. > > Were you involved in the overall certification PCI certification process? > I'm wondering about stuff like the internal paper handling aspects of the > deal. Any insight is welcome. > > Thanks much! > > > On Thu, Sep 7, 2017 at 1:51 PM, Keith Culotta via 4D_Tech < > 4d_tech@lists.4d.com> wrote: > >> Kirk, >> >> I can't say that I understand the nuances of the system to the point of >> having any details to contribute, but after lots of trying to figure it out >> the thing that finally allowed us to pass the scan was to use a VPN. We >> open only the VPN ports and the ports required by the credit card machines. >> We use the Apple Server's VPN and an AirPort Extreme. >> >> I did not think to ask the compliance people if I could register the >> standard 4D ports with them so that having those ports open would not >> trigger a violation. On the other hand, I think I read that credit card >> machines are supposed to be on a separate network anyway. A low speed DSL >> would work. >> >> Keith - CDI >> >>> On Sep 7, 2017, at 2:46 PM, Kirk Brooks via 4D_Tech < >> 4d_tech@lists.4d.com> wrote: >>> >>> If anyone has experience with successfully completing a PCI/DSS audit and >>> certification for your network, not just the 4D part, I would really >>> appreciate talking with you. Ping me off line. >>> >>> Thanks >>> >>> -- >>> Kirk Brooks >>> San Francisco, CA >>> === >>> >>> *The only thing necessary for the triumph of evil is for good men to do >>> nothing.* >>> >>> *- Edmund Burke* >>> ** >>> 4D Internet Users Group (4D iNUG) >>> FAQ: http://lists.4d.com/faqnug.html >>> Archive: http://lists.4d.com/archives.html >>> Options: http://lists.4d.com/mailman/options/4d_tech >>> Unsub: mailto:4d_tech-unsubscr...@lists.4d.com >>> ** >> >> ** >> 4D Internet Users Group (4D iNUG) >> FAQ: http://lists.4d.com/faqnug.html >> Archive: http://lists.4d.com/archives.html >> Options: http://lists.4d.com/mailman/options/4d_tech >> Unsub: mailto:4d_tech-unsubscr...@lists.4d.com >> ** >> > > > > -- > Kirk Brooks > San Francisco, CA > === > > *The only thing necessary for the triumph of evil is for good men to do > nothing.* > > *- Edmund Burke* > ** > 4D Internet Users Group (4D iNUG) > FAQ: http://lists.4d.com/faqnug.html > Archive: http://lists.4d.com/archives.html > Options: http://lists.4d.com/mailman/options/4d_tech > Unsub: mailto:4d_tech-unsubscr...@lists.4d.com > ** --- Gas is for washing parts Alcohol is for drinkin' Nitromethane is for racing ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
Re: [OFF] PCI/DSS compliance
Hi Keith, I'm just getting back around to this - I like the idea of a VPN. I have three locations I need to accomodate and have to admit I haven't done anything with a VPN so if you'll allow me to ask some pretty naive questions: Did you set up the VPN just within the router or get an actual VPN service to connect to? I actually wanted to get some DSL lines but at a couple of locations ATT won't even install copper lines anymore. Were you involved in the overall certification PCI certification process? I'm wondering about stuff like the internal paper handling aspects of the deal. Any insight is welcome. Thanks much! On Thu, Sep 7, 2017 at 1:51 PM, Keith Culotta via 4D_Tech < 4d_tech@lists.4d.com> wrote: > Kirk, > > I can't say that I understand the nuances of the system to the point of > having any details to contribute, but after lots of trying to figure it out > the thing that finally allowed us to pass the scan was to use a VPN. We > open only the VPN ports and the ports required by the credit card machines. > We use the Apple Server's VPN and an AirPort Extreme. > > I did not think to ask the compliance people if I could register the > standard 4D ports with them so that having those ports open would not > trigger a violation. On the other hand, I think I read that credit card > machines are supposed to be on a separate network anyway. A low speed DSL > would work. > > Keith - CDI > > > On Sep 7, 2017, at 2:46 PM, Kirk Brooks via 4D_Tech < > 4d_tech@lists.4d.com> wrote: > > > > If anyone has experience with successfully completing a PCI/DSS audit and > > certification for your network, not just the 4D part, I would really > > appreciate talking with you. Ping me off line. > > > > Thanks > > > > -- > > Kirk Brooks > > San Francisco, CA > > === > > > > *The only thing necessary for the triumph of evil is for good men to do > > nothing.* > > > > *- Edmund Burke* > > ** > > 4D Internet Users Group (4D iNUG) > > FAQ: http://lists.4d.com/faqnug.html > > Archive: http://lists.4d.com/archives.html > > Options: http://lists.4d.com/mailman/options/4d_tech > > Unsub: mailto:4d_tech-unsubscr...@lists.4d.com > > ** > > ** > 4D Internet Users Group (4D iNUG) > FAQ: http://lists.4d.com/faqnug.html > Archive: http://lists.4d.com/archives.html > Options: http://lists.4d.com/mailman/options/4d_tech > Unsub: mailto:4d_tech-unsubscr...@lists.4d.com > ** > -- Kirk Brooks San Francisco, CA === *The only thing necessary for the triumph of evil is for good men to do nothing.* *- Edmund Burke* ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
Re: [OFF] PCI/DSS compliance
Kirk, I can't say that I understand the nuances of the system to the point of having any details to contribute, but after lots of trying to figure it out the thing that finally allowed us to pass the scan was to use a VPN. We open only the VPN ports and the ports required by the credit card machines. We use the Apple Server's VPN and an AirPort Extreme. I did not think to ask the compliance people if I could register the standard 4D ports with them so that having those ports open would not trigger a violation. On the other hand, I think I read that credit card machines are supposed to be on a separate network anyway. A low speed DSL would work. Keith - CDI > On Sep 7, 2017, at 2:46 PM, Kirk Brooks via 4D_Tech <4d_tech@lists.4d.com> > wrote: > > If anyone has experience with successfully completing a PCI/DSS audit and > certification for your network, not just the 4D part, I would really > appreciate talking with you. Ping me off line. > > Thanks > > -- > Kirk Brooks > San Francisco, CA > === > > *The only thing necessary for the triumph of evil is for good men to do > nothing.* > > *- Edmund Burke* > ** > 4D Internet Users Group (4D iNUG) > FAQ: http://lists.4d.com/faqnug.html > Archive: http://lists.4d.com/archives.html > Options: http://lists.4d.com/mailman/options/4d_tech > Unsub: mailto:4d_tech-unsubscr...@lists.4d.com > ** ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
[OFF] PCI/DSS compliance
If anyone has experience with successfully completing a PCI/DSS audit and certification for your network, not just the 4D part, I would really appreciate talking with you. Ping me off line. Thanks -- Kirk Brooks San Francisco, CA === *The only thing necessary for the triumph of evil is for good men to do nothing.* *- Edmund Burke* ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **