If the non-compliance fee is $20/month, I think it would be cheaper to pay the fee. Hell, I pay $50/month now for a check scanner. My bank wants a minimum of $25/month to handle ACH payments (which I don’t pay). $20/month is chump change, compared to the effort I see this customer putting into passing the yearly audit. (No auditor comes out, they do a questionnaire and run some kind of scanning program.)
I just have to laugh that they passed last year with the Frontier modem/router credentials set to admin/admin. From: That One Guy /sarcasm Sent: Wednesday, October 28, 2015 7:59 PM To: [email protected] Subject: Re: [AFMUG] PCI compliance and managed router I think it was Visa processors that are causing this stink, Visa is trying to have CYA On Wed, Oct 28, 2015 at 4:47 PM, Eric Kuhnke <[email protected]> wrote: traffic between their credit card terminal and the processor should be end-to-end encrypted. Audits of their network equipment would be required for PCI compliance if they were storing card info in plaintext anywhere on their LAN, which they are not. On Wed, Oct 28, 2015 at 11:54 AM, Ken Hohhof <[email protected]> wrote: I have always heard of PCI compliance in terms of a business like a gas station where customers swipe cards at the pumps. But I have a customer with a credit card reader terminal in their office that is making this big fuss because they annually do a PCI audit apparently to avoid a $20/month fee from their credit card processor. Maybe I don't even realize we pay that, there is some $200/year PCI compliance fee we pay. Anyway, this is not where some auditors show up, but rather a cloud based scan they run from one of their computers until they pass, then they print out the report and send it in. And apparently the customer decided to have us replace Frontier and then do their annual scan the next day. They claim they passed every year previous, hard to believe the Frontier modem they were using as their router having username/password set to admin/admin was not an issue. Their first complaint to us was their WiFi password was not complex enough. Well, we just set it to what you were already using. Then they had some complaint about DNS. Now they are saying they have to report that we manage the router remotely, and that may be a problem. Is it? We close off everything but Winbox. It seems a lot more secure to me than having a web interface with admin/admin. I told the customer they are welcome to supply and manage their own router, but if they get a leased, managed router from us, well ... we manage it. Remotely. Has anyone dealt with this issue already? -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
