That would be nice but it would be difficult for a fast food res truant to not have a card reader :)
On Fri, Apr 2, 2010 at 4:27 PM, Frank Muto <[email protected]> wrote: > > All the better to have a completely hosted service with a trusted merchant. > We have no CCRD information or even a card > reader. We take no CCRD payments over the phone, by email, postal mail or > store CCRD information for recurring invoices. All > of our invoices are sent via email with an online payment URL to make CCRD > payments or direct payments from their bank > account or mailed in checks. Nonetheless, PCI worries are not on our watch. > > > Frank Muto > > > > ----- Original Message ----- > From: "Eje Gustafsson" <[email protected]> > To: "'WISPA General List'" <[email protected]> > Sent: Friday, April 02, 2010 11:01 AM > Subject: Re: [WISPA] PCI Compliance > > >> PCI compliance only applies to section of the network where YOU process and >> possibly store credit card information. If you have no over the net >> processing and don't store credit cards then it's easy. You fill out the >> form for terminal processing and just need to make sure the terminal itself >> is in a "secured supervised" location, acknowledge that credit cards are not >> saved or stored. If you save and store credit cards you need to certify that >> you are not store the whole magnetic strip info or security codes for the >> cards. >> If things are done on computer you have a more complex questioner to fill >> out. Are credit card info stored, if they are stored electronically the >> server needs to be protected by some form of firewall and only people with a >> need to know should be able to access the credit card details, part of the >> card number should be blanked out on display, no security codes are allowed >> to be stored. I assume your workstations and servers are on a separate >> segment on your network and should be protected with a firewall against any >> outside access (in the ISP case that also includes access from your >> customers and not only from the internet itself). If you have a wireless >> access point on that network segment it needs to be secured and only allow >> specific access from allowed devices and some form of encryption on any >> communication that reads/write credit card details. Database (or wherever >> your credit cards are stored) needs to be secured. >> If processing credit cards over the net you should have a end to end secure >> connection from your customers computer to the credit card gateway >> processor. So basically web page customer key in info needs to be secured by >> either ssl or some other method that sends the data in encrypted secured >> format. From your server to the processor the data also need to be secured >> (no processor I am aware of even accepts a unsecure submission of credit >> card details so this shouldn't be a problem on that basis). >> >> You also need to make sure that physical access to terminal and servers that >> process and store credit cards is secured. >> >> Also in the questioner it's asked if you have policies in place how to >> handle and treat credit cards, whom have access to them and what to do if >> any kind of breach would happen. >> >> The PCI compliance is pretty open and doesn't have for most part specific >> requirements when it comes to firewalls, how or what. If you store data and >> process data on a computer that computer needs to be protected both >> physically and virtually. Virtually can be a software firewall on the >> machine itself or it can be a hardware based firewall in front of the >> machine. >> >> Basically PCI compliance is all about common sense, ensure your servers are >> safe from any type of intrusion or theft, not to write down credit cards on >> scrap paper that is thrown in the trash, only allow access to credit card >> info to the people that have to have access to it. >> >> There are different levels and types of PCI compliance depends on how you >> process credit cards. Worst case scenario is if you have a regular credit >> card terminal or process credit cards across the network on a e-commerce >> type software (be it home written or professionally developed) and even >> worse if you store credit card details. >> Once you start filling out the questioner things will more than likely >> become a bit more clearer for you. >> If you store and process credit cards on computer than you need to as well >> have a company that is doing a PCI scan of your server to ensure "hacker >> proof" status. It will look for port vulnerabilities and web application >> security issues. >> >> https://www.pcisecuritystandards.org/saq/index.shtml >> >> For most people a self assessment is enough (except for server scanning >> where an approved company needs to be used). If your company process a LOT >> of credit cards per year no external auditor needs to be hired (not even my >> company reaches the level where an external auditor is required but we have >> to file twice annually because of our volume while most WISPs I would dare >> to say would only be a level 4 which is the lowest level and would only need >> to file once a year). >> >> / Eje >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of RickG >> Sent: Friday, April 02, 2010 1:21 AM >> To: WISPA General List >> Subject: [WISPA] PCI Compliance >> >> Email from my brother: >> >> Just got a letter from our credit card processor and we need to become >> pci compliant. I noticed these routers I'm using from Qwest dont have >> a firewall. Do I go software,hardware or both? Here is the link for >> our routers. >> http://www.qwest.com/internethelp/modems/motorola-3347/modemDetail_3347insta >> llation.html >> >> He handles IT for 27 BK's in Denver. Thoughts? >> > > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > -------------------------------------------------------------------------------- > > WISPA Wireless List: [email protected] > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
