PCI compliance only applies to section of the network where YOU process and possibly store credit card information. If you have no over the net processing and don't store credit cards then it's easy. You fill out the form for terminal processing and just need to make sure the terminal itself is in a "secured supervised" location, acknowledge that credit cards are not saved or stored. If you save and store credit cards you need to certify that you are not store the whole magnetic strip info or security codes for the cards. If things are done on computer you have a more complex questioner to fill out. Are credit card info stored, if they are stored electronically the server needs to be protected by some form of firewall and only people with a need to know should be able to access the credit card details, part of the card number should be blanked out on display, no security codes are allowed to be stored. I assume your workstations and servers are on a separate segment on your network and should be protected with a firewall against any outside access (in the ISP case that also includes access from your customers and not only from the internet itself). If you have a wireless access point on that network segment it needs to be secured and only allow specific access from allowed devices and some form of encryption on any communication that reads/write credit card details. Database (or wherever your credit cards are stored) needs to be secured. If processing credit cards over the net you should have a end to end secure connection from your customers computer to the credit card gateway processor. So basically web page customer key in info needs to be secured by either ssl or some other method that sends the data in encrypted secured format. From your server to the processor the data also need to be secured (no processor I am aware of even accepts a unsecure submission of credit card details so this shouldn't be a problem on that basis).
You also need to make sure that physical access to terminal and servers that process and store credit cards is secured. Also in the questioner it's asked if you have policies in place how to handle and treat credit cards, whom have access to them and what to do if any kind of breach would happen. The PCI compliance is pretty open and doesn't have for most part specific requirements when it comes to firewalls, how or what. If you store data and process data on a computer that computer needs to be protected both physically and virtually. Virtually can be a software firewall on the machine itself or it can be a hardware based firewall in front of the machine. Basically PCI compliance is all about common sense, ensure your servers are safe from any type of intrusion or theft, not to write down credit cards on scrap paper that is thrown in the trash, only allow access to credit card info to the people that have to have access to it. There are different levels and types of PCI compliance depends on how you process credit cards. Worst case scenario is if you have a regular credit card terminal or process credit cards across the network on a e-commerce type software (be it home written or professionally developed) and even worse if you store credit card details. Once you start filling out the questioner things will more than likely become a bit more clearer for you. If you store and process credit cards on computer than you need to as well have a company that is doing a PCI scan of your server to ensure "hacker proof" status. It will look for port vulnerabilities and web application security issues. https://www.pcisecuritystandards.org/saq/index.shtml For most people a self assessment is enough (except for server scanning where an approved company needs to be used). If your company process a LOT of credit cards per year no external auditor needs to be hired (not even my company reaches the level where an external auditor is required but we have to file twice annually because of our volume while most WISPs I would dare to say would only be a level 4 which is the lowest level and would only need to file once a year). / Eje -----Original Message----- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of RickG Sent: Friday, April 02, 2010 1:21 AM To: WISPA General List Subject: [WISPA] PCI Compliance Email from my brother: Just got a letter from our credit card processor and we need to become pci compliant. I noticed these routers I'm using from Qwest dont have a firewall. Do I go software,hardware or both? Here is the link for our routers. http://www.qwest.com/internethelp/modems/motorola-3347/modemDetail_3347insta llation.html He handles IT for 27 BK's in Denver. Thoughts? ---------------------------------------------------------------------------- ---- WISPA Wants You! Join today! http://signup.wispa.org/ ---------------------------------------------------------------------------- ---- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
