Thanks to everyone for all the input. Just to answer a few questions: These are a bunch of Burger King restaurants. The reason this came up is because they just hit $1 million of annual transactions. The data is not stored but is processed through from the card swipe machines over the internet to the processor. AFAIK, the data is encrypted. There is a Manager's workstation at each store that I set up years ago to connect to the head office via VPN over Qwest's DSL. Qwest has suggested they upgrade the Motorola DSL modems to an Adtran unit. Thanks again! -RickG
On Fri, Apr 2, 2010 at 11:01 AM, Eje Gustafsson <e...@wisp-router.com> wrote: > PCI compliance only applies to section of the network where YOU process and > possibly store credit card information. If you have no over the net > processing and don't store credit cards then it's easy. You fill out the > form for terminal processing and just need to make sure the terminal itself > is in a "secured supervised" location, acknowledge that credit cards are not > saved or stored. If you save and store credit cards you need to certify that > you are not store the whole magnetic strip info or security codes for the > cards. > If things are done on computer you have a more complex questioner to fill > out. Are credit card info stored, if they are stored electronically the > server needs to be protected by some form of firewall and only people with a > need to know should be able to access the credit card details, part of the > card number should be blanked out on display, no security codes are allowed > to be stored. I assume your workstations and servers are on a separate > segment on your network and should be protected with a firewall against any > outside access (in the ISP case that also includes access from your > customers and not only from the internet itself). If you have a wireless > access point on that network segment it needs to be secured and only allow > specific access from allowed devices and some form of encryption on any > communication that reads/write credit card details. Database (or wherever > your credit cards are stored) needs to be secured. > If processing credit cards over the net you should have a end to end secure > connection from your customers computer to the credit card gateway > processor. So basically web page customer key in info needs to be secured by > either ssl or some other method that sends the data in encrypted secured > format. From your server to the processor the data also need to be secured > (no processor I am aware of even accepts a unsecure submission of credit > card details so this shouldn't be a problem on that basis). > > You also need to make sure that physical access to terminal and servers that > process and store credit cards is secured. > > Also in the questioner it's asked if you have policies in place how to > handle and treat credit cards, whom have access to them and what to do if > any kind of breach would happen. > > The PCI compliance is pretty open and doesn't have for most part specific > requirements when it comes to firewalls, how or what. If you store data and > process data on a computer that computer needs to be protected both > physically and virtually. Virtually can be a software firewall on the > machine itself or it can be a hardware based firewall in front of the > machine. > > Basically PCI compliance is all about common sense, ensure your servers are > safe from any type of intrusion or theft, not to write down credit cards on > scrap paper that is thrown in the trash, only allow access to credit card > info to the people that have to have access to it. > > There are different levels and types of PCI compliance depends on how you > process credit cards. Worst case scenario is if you have a regular credit > card terminal or process credit cards across the network on a e-commerce > type software (be it home written or professionally developed) and even > worse if you store credit card details. > Once you start filling out the questioner things will more than likely > become a bit more clearer for you. > If you store and process credit cards on computer than you need to as well > have a company that is doing a PCI scan of your server to ensure "hacker > proof" status. It will look for port vulnerabilities and web application > security issues. > > https://www.pcisecuritystandards.org/saq/index.shtml > > For most people a self assessment is enough (except for server scanning > where an approved company needs to be used). If your company process a LOT > of credit cards per year no external auditor needs to be hired (not even my > company reaches the level where an external auditor is required but we have > to file twice annually because of our volume while most WISPs I would dare > to say would only be a level 4 which is the lowest level and would only need > to file once a year). > > / Eje > > -----Original Message----- > From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On > Behalf Of RickG > Sent: Friday, April 02, 2010 1:21 AM > To: WISPA General List > Subject: [WISPA] PCI Compliance > > Email from my brother: > > Just got a letter from our credit card processor and we need to become > pci compliant. I noticed these routers I'm using from Qwest dont have > a firewall. Do I go software,hardware or both? Here is the link for > our routers. > http://www.qwest.com/internethelp/modems/motorola-3347/modemDetail_3347insta > llation.html > > He handles IT for 27 BK's in Denver. Thoughts? > > > ---------------------------------------------------------------------------- > ---- > WISPA Wants You! Join today! > http://signup.wispa.org/ > ---------------------------------------------------------------------------- > ---- > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > > > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > -------------------------------------------------------------------------------- > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
