I'm currently doing a PCI assessment (they're small enough that they can
do a self-assessment..) for a client, and finding myself asking
questions of the standard, which I can't really find answered on
google... Wondering if anyone else has done them, who might have hit
some of the same problems...
This client has staff occasionally taking billing details over the
phone, and entering them into their billing portal for the clients who
don't want to use their credit cards 'over the internet' (Go figure,
they still end up 'over the internet' anyway, lol!) - which from the
wording of the DSS extends the CDE to staff workstations. Which then
from the DSS also means that we have to have a specific business case
for any holes we open through the firewall outbound from their
workstations - so no facebook, MSN, Skype, etc, as they're not 'needed'
for the business.. Which I can see going over like a lead balloon! I
can see that they could have a couple of PC's dedicated to being used
for billing-entry purposes - then we could keep the 'normal' staff
machines out of the defined CDE, and just have staff put the customer on
hold, walk over to that PC, take their details, then put them on hold
again, and go back to their own PC.. But that seems like a bit of
rigmarole just to keep the staff happy and able to browse facebook ;)
I'm also a bit curious about what level of 'firewall' is needed for
these PC's - they have a few offices around the world, some of which are
in 'serviced' office complexes - so network is provided by the office
provider, and the client just supplies their PC's - and they quite
explicitly *do not* allow the clients to put in their own networking
hardware to segregate themselves from the managed network there.. I'm
hoping we can get away with a locked down windows firewall in those
instances, or it's going to mean them either MOVING offices, or
transferring the customer to another country for billing processing! Ick!
Cheers,
DG
--
Damien Gardner Jnr
VK2TDG. Dip EE. GradIEAust
vk2...@gmail.com - http://www.rendrag.net/
--
We rode on the winds of the rising storm,
We ran to the sounds of thunder.
We danced among the lightning bolts,
and tore the world asunder
--
------------------------------------------------------------
You received this message because you are subscribed to the "2600 Australia" group.
To post, send email to: 2600-australia@googlegroups.com
To subscribe, send email to: 2600-australia+subscribe@googlegroups.com
For 2600 monthly meetings, visit http://www.2600.org.au
For more options, visit this group at http://groups.google.com/group/2600-australia
To unsubscribe, send email to: 2600-australia+unsubscribe@googlegroups.com
Disclaimer: Comments to this mailing list are owned by the poster
------------------------------------------------------------
To post, send email to: 2600-au...@googlegroups.com
To subscribe, send email to: 2600-austral...@googlegroups.com
For 2600 monthly meetings, visit http://www.2600.org.au
For more options, visit this group at http://groups.google.com/group/2600-australia
To unsubscribe, send email to: 2600-australi...@googlegroups.com
How does that get past the audit? Using a low security desktop or device to
access a high security one brings to mind problems with key-logging trojans
and similar nasties.
> (2) Contain all non-PCI-compliant applications as above.
That sounds like the tidier approach.
cheers
Marty
The only place we're having troubles, is when a customer emails their
new credit card details for recurring payments.. It doesn't happen
often, the client doesn't promote to customers that they can do that -
but it does happen.. I'm being told that they need to ensure that this
*doesn't* happen.. - But the question we can't answer is *HOW* do you
stop third parties from sending you their credit card details?? Has
anyone else handled this?