![]() It is just like any other SSL traffic on your net, except it is talking to a specific IP address specified by your processor. Other methods include via 4G (which is still IP) and satellite communication for remote areas. The main advantages of IP signaling include security and speed. While a POTS line could be tapped easily, SSL communication is more complex to intercept. ![]() Also, while a POTS line could process a transaction in a reasonable amount of time, with todays cards embedded with EMV chips, the amount of data that needs to be transmitted is much larger, causing EMV transactions over POTS to take FOREVER. The layout you specify in your post is a good start, however PCI encompasses a few other things, such as physical security and having procedures in place in case of breach. While not all of this is IT's responsibility, it is a good idea to be on the committee for everything PCI at your employer. Working for a tier 1 retailer in the UK, PCI DSS can be a constant headache. One of the keys to obtaining and maintaining PCI Compliance is keeping as much of your network out of scope, to make your life as pain free as possible. The retailer I work for has nearly 2,000 card terminals, each directly connected to a POS system running payment applications validated to PA-DSS v3.1 and P2PE v2. Our retail store estate underwent extensive penetration testing and was found to contain zero instances nor capability for an attacker to breach the CDE (Cardholder Data Environment) to access encrypted CHD (Cardholder Data). This meant the Office and Supply Chain operations networks were deemed out of scope and a reduction in scope with our Merchant bank was attained, simplifying the process massively!Īs with most things, there are a few simple rules for PCI-DSS, but two of the most important. ![]() Don't store CHD in plain text anywhere on your network!.Strictly control access to both CDE and CHD and provide evidence of procedures to support this.If you don't already know, you can search for the versions of payment devices, software and suppliers on the PCI SSC site To make your life easier if you do undergo a compliance audit by a QSA, your organisation needs to obtain Attestation Of Compliance documentation for your payment applications and POS solution and ensure it matches that held by the PCI SSC (PCI Security Standards Council). If this is the first time you've looked into PCI Compliance in a big way, you could do worse than start here #CREDIT CARD TERMINAL MACHINE SOFTWARE# Guidance for PCI DSS Scoping and Segmentation in the PCI Document Library. If these are already prepared in line with the recommendations and requirements set down in PCI DSS v3.2, then you're halfway there.īe under no illusions though - The second year is not plain sailing - Your organisation then has to demonstrate that it has followed or improved all procedures as they were during the initial audit at all times in the previous 12 months and that's often where failures occur! Obtaining PCI Compliance for the first time is a time consuming process - How difficult the process ultimately is for you, depends entirely on your assigned QSA and your established internal procedures for handling and securing CHD. Because the vast majority of internal networks are NOT secure, as we've learned over and over again for the past X years of breaches - and those are just the biggies. There's no news coverage of the 10 or 50 or 500 person business that gets breached and loses cardholder data. but it happens a lot.One of the entire points of using EMV terminals as used in most of the world is that the merchant is never ever storing the credit card details, absolving them of that responsibility. The card goes into the terminal, and then the terminal itself brings up a VPN connection back to the payment processor and processes the transaction securely. If/when an attacker breaches a merchant network, all they should now ever see is an encrypted blob flying back and forth between the terminal and the processor. ![]() #CREDIT CARD TERMINAL MACHINE SOFTWARE#. ![]()
0 Comments
Leave a Reply. |