PCI DSS Cafe

mattyg · 1 Jul 2019 at 18:21

Ok so I'm pulling my hair out.

I'm part way through Compliance with paymentsense. Now Its asking very technical questions that I have to google and then google what google tells me and possible google that too.

I have a cafe. We dont store customer details. Our ePos isn't linked to the card machine. We input the amount and in most cases the customer taps and thats it.

Anyone been through this in a similar situation.

Thanks
Bald Matt

PiKe · 1 Jul 2019 at 18:23

So much easier from compliance standpoint if the card machine uses PSTN rather then your internet connection.

mattyg · 1 Jul 2019 at 18:37

PiKe said:
So much easier from compliance standpoint if the card machine uses PSTN rather then your internet connection.

You mean plugged straight into a phone line.

Yuup can also do that

mattyg · 1 Jul 2019 at 18:42

PiKe said:
So much easier from compliance standpoint if the card machine uses PSTN rather then your internet connection.

And thats now done

Cheers buddy.

Card machine now plugged into phone line and compliance sorted.

PiKe · 1 Jul 2019 at 19:44

No worries

Avalon · 1 Jul 2019 at 21:49

Longer term the questions asked are pretty straight forward/simple and it’s cheaper/quicker than using PSTN to verify transactions.

bremen1874 · 1 Jul 2019 at 22:32

I'm having to deal with this at the moment.

A company I do work for runs two businesses on the same site. One of them is a petrol station/shop and they decided to change their terminal to an internet only model. Unfortunately, there's only a single internet connection with a single static IP so it's on the same network as everything else.

I've now got to get the entire network compliant and that includes an SBS 2011 server which I can't get rid of just yet.

PiKe · 1 Jul 2019 at 23:30

bremen1874 said:
I'm having to deal with this at the moment.

A company I do work for runs two businesses on the same site. One of them is a petrol station/shop and they decided to change their terminal to an internet only model. Unfortunately, there's only a single internet connection with a single static IP so it's on the same network as everything else.

I've now got to get the entire network compliant and that includes an SBS 2011 server which I can't get rid of just yet.

Chuck it on its own VLAN? Would that make it any easier?

bremen1874 · 1 Jul 2019 at 23:40

That was my initial plan. Unfortunately, the scans the bank is running are against the WAN IP so they see everything that's public facing. If I had more than one public IP to play with I wouldn't have had a problem.

I've got most of it compliant. The main remaining problem is TLS 1.0. When I disable it Exchange Server (amongst other things) isn't happy.

Avalon · 1 Jul 2019 at 23:59

It only needs to pass a single scan conducted in a given 24hr period on a WAN IP you specify... If you know that, it’s usually possible to work around most of the potential issues.

bremen1874 · 2 Jul 2019 at 00:13

I'm really close to having it pass legitimately. It looks like it'll be a quarterly scan and it'll probably happen without me knowing beforehand.

I installed a fresh test copy of SBS 2011 and Exchange on that works with TLS 1.0 disabled. I just need to find out why it doesn't work on the live server. The other things that found that TLS 1.0 breaks I can live without. Another few months and the on-premises Exchange Server will be gone, the ports will be closed, and all will be well.

Stephanie Peterson · 2 Jul 2019 at 00:16

PiKe said:
Chuck it on its own VLAN? Would that make it any easier?

I was just going to say the same thing, thats got to be a bit of a help being able to really tie down the IP side.

mattyg · 2 Jul 2019 at 00:17

I got mine to pass. Its just all the damn Technical questions I had no idea about.

Network diagrams being the easiest whether or not my demilitarised zone is behind a firewall ....WTF...What???

bremen1874 · 2 Jul 2019 at 00:25

Stephanie Peterson said:
I was just going to say the same thing, thats got to be a bit of a help being able to really tie down the IP side.

Putting it on a VLAN doesn't help with the scan because there's still only a single WAN IP. When they scan that IP they can see the server.

#Chri5# · 2 Jul 2019 at 07:31

bremen1874 said:
That was my initial plan. Unfortunately, the scans the bank is running are against the WAN IP so they see everything that's public facing. If I had more than one public IP to play with I wouldn't have had a problem.

I've got most of it compliant. The main remaining problem is TLS 1.0. When I disable it Exchange Server (amongst other things) isn't happy.

I'm not actively involved with PCI compliance anymore but when I was, you could submit a mitigation statement as to why you needed TLS 1.0 enabled. We'd link to appropriate MS document that turning off 1.0 broke Exchange 2010. I have a vague memory the ability to do that was going to stop though - did that actually happen?

bremen1874 · 2 Jul 2019 at 11:31

The documentation I have says that TLS 1.0 needs to be disabled entirely by June 30 2018.

Caged · 2 Jul 2019 at 20:18

Surely none of this matters if you have a payment terminal that just makes an outbound HTTPS connection - there's no amount of screwing up the config that you can do that would do anything other than just stop the thing working. You don't have a card data environment at that point.

Edit: I'm saying none of this matters as far as actual data security is concerned, obviously there's money to be made in compliance so it's not always that easy. Fundamentally shoving the terminal on a network is no different to it operating a 3G network - the public IP is shared with other devices that aren't always known about, and no inbound connections can be made in either case.

bremen1874 · 2 Jul 2019 at 20:29

You'd think so, but that doesn't appear to be the case.

It's not something I've had to deal with before, and I don't know enough about it to argue the toss with the bank. So, for now, I'm just addressing the issues that the bank raised.