True on this but still since I assume it still uses your merchant account you still fall under the PCI regulations BUT the trusted merchant would provide all PCI compliance documentation for you in this case and only thing you have to worry about is whom is provided remote login access to this merchant and what information they have access to and ensure firewall and antivirus protection on the machines that are used to login to said merchants website (if you have access to anything credit card related there) to avoid keyloggers that might steal login information and then use this information to login and steal credit card details or create fraudulent charges or reversals.
No matter how it's done if you business have a merchant account PCI compliance comes back to you to ensure end to end and any and all interactions where access to credit cards processing or credit card numbers can be done. Of course lot easier when nothing is on any of your own systems like in your case and if all you can access through the hosted service web pages is statements and reports even less you need to worry about but still might have to file (unless they file for you). / Eje -----Original Message----- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Frank Muto Sent: Friday, April 02, 2010 3:27 PM To: WISPA General List Subject: Re: [WISPA] PCI Compliance All the better to have a completely hosted service with a trusted merchant. We have no CCRD information or even a card reader. We take no CCRD payments over the phone, by email, postal mail or store CCRD information for recurring invoices. All of our invoices are sent via email with an online payment URL to make CCRD payments or direct payments from their bank account or mailed in checks. Nonetheless, PCI worries are not on our watch. Frank Muto ----- Original Message ----- From: "Eje Gustafsson" <e...@wisp-router.com> To: "'WISPA General List'" <wireless@wispa.org> Sent: Friday, April 02, 2010 11:01 AM Subject: Re: [WISPA] PCI Compliance > PCI compliance only applies to section of the network where YOU process and > possibly store credit card information. If you have no over the net > processing and don't store credit cards then it's easy. You fill out the > form for terminal processing and just need to make sure the terminal itself > is in a "secured supervised" location, acknowledge that credit cards are not > saved or stored. If you save and store credit cards you need to certify that > you are not store the whole magnetic strip info or security codes for the > cards. > If things are done on computer you have a more complex questioner to fill > out. Are credit card info stored, if they are stored electronically the > server needs to be protected by some form of firewall and only people with a > need to know should be able to access the credit card details, part of the > card number should be blanked out on display, no security codes are allowed > to be stored. I assume your workstations and servers are on a separate > segment on your network and should be protected with a firewall against any > outside access (in the ISP case that also includes access from your > customers and not only from the internet itself). If you have a wireless > access point on that network segment it needs to be secured and only allow > specific access from allowed devices and some form of encryption on any > communication that reads/write credit card details. Database (or wherever > your credit cards are stored) needs to be secured. > If processing credit cards over the net you should have a end to end secure > connection from your customers computer to the credit card gateway > processor. So basically web page customer key in info needs to be secured by > either ssl or some other method that sends the data in encrypted secured > format. From your server to the processor the data also need to be secured > (no processor I am aware of even accepts a unsecure submission of credit > card details so this shouldn't be a problem on that basis). > > You also need to make sure that physical access to terminal and servers that > process and store credit cards is secured. > > Also in the questioner it's asked if you have policies in place how to > handle and treat credit cards, whom have access to them and what to do if > any kind of breach would happen. > > The PCI compliance is pretty open and doesn't have for most part specific > requirements when it comes to firewalls, how or what. If you store data and > process data on a computer that computer needs to be protected both > physically and virtually. Virtually can be a software firewall on the > machine itself or it can be a hardware based firewall in front of the > machine. > > Basically PCI compliance is all about common sense, ensure your servers are > safe from any type of intrusion or theft, not to write down credit cards on > scrap paper that is thrown in the trash, only allow access to credit card > info to the people that have to have access to it. > > There are different levels and types of PCI compliance depends on how you > process credit cards. Worst case scenario is if you have a regular credit > card terminal or process credit cards across the network on a e-commerce > type software (be it home written or professionally developed) and even > worse if you store credit card details. > Once you start filling out the questioner things will more than likely > become a bit more clearer for you. > If you store and process credit cards on computer than you need to as well > have a company that is doing a PCI scan of your server to ensure "hacker > proof" status. It will look for port vulnerabilities and web application > security issues. > > https://www.pcisecuritystandards.org/saq/index.shtml > > For most people a self assessment is enough (except for server scanning > where an approved company needs to be used). If your company process a LOT > of credit cards per year no external auditor needs to be hired (not even my > company reaches the level where an external auditor is required but we have > to file twice annually because of our volume while most WISPs I would dare > to say would only be a level 4 which is the lowest level and would only need > to file once a year). > > / Eje > > -----Original Message----- > From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On > Behalf Of RickG > Sent: Friday, April 02, 2010 1:21 AM > To: WISPA General List > Subject: [WISPA] PCI Compliance > > Email from my brother: > > Just got a letter from our credit card processor and we need to become > pci compliant. I noticed these routers I'm using from Qwest dont have > a firewall. Do I go software,hardware or both? Here is the link for > our routers. > http://www.qwest.com/internethelp/modems/motorola-3347/modemDetail_3347insta > llation.html > > He handles IT for 27 BK's in Denver. Thoughts? > ---------------------------------------------------------------------------- ---- WISPA Wants You! Join today! http://signup.wispa.org/ ---------------------------------------------------------------------------- ---- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
