0

I'm hoping someone here can help me. I'm attempting to get the small nonprofit I work at PCI compliant, as we have been paying an additional $20/month in noncompliance fees to our processor since we started taking credit card YEARS ago (apparently I'm the only person to look at statements).

I'm not an IT person, I do accounting/billing. We process credit cards two ways. First, 95% of our credit card payments are entered into our software which then speaks to the processor. We access this software through a remote server physically located in Denver. Second, the remaining 5% of our credit card payments are entered on my computer keyboard directly into the processor website (this is for recurring payments, which we have to enter manually into our software after the payment has processed).

So my questions are:

  1. Am I correct that given the way we take payments we should complete PCI SAQ C?
  2. Do I need to involve both the county IT people that we contract with for services in our offices and the software IT people located in Denver, given the way we take payments? If so, do I need to ensure that answer to each question matches for both of them?
  3. Most importantly, when the questions referenced in my title talk about limiting outbound traffic (all inbound is limited per our county IT people, I'm having difficulties getting answers back from our software IT people in Denver), does that mean that the computer(s) we use to process credit cards need to be completely limited to only process credit cards? This would be quite an inconvenience, and I don't know many small businesses (hotels especially immediately come to mind) that limit their computer functions in this way. If I'm misunderstanding the requirements, can someone explain them in more depth?
StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
cmbrien
  • 1
  • 1
  • 1
    Earlier this year handled a process of getting a small non-profit in my area with a situation quite similar to yours from not even attempting compliance to actually being compliant. I will write more with some further thoughts, but my inital reaction to point #3 is the same as I had with my non-profit when they made the exact same statement to me: In an era where you can get a remarkably powerful credit-card sized computer for $35 or a tablet from a major manufacturer for $50, and a not-terrible small laptop running Windows for $175 that doesn't fly. – mostlyinformed Sep 26 '15 at 06:56
  • 1
    FWIW, though, I lost that argument with them. As I do with most small businesses I do PCI consulting for too, if I'm being honest. People just love to do browsing and email wherever they are sitting next to an internet-connected machine. In other words: yes, doing browsing & email on a machine you process card data on is both inadvisable as a security matter and arguably a violation of at least a couple PCI reqs, but if you decide to do so you may be able to take some comfort in the fact that you are in the vast risk-taking majority. :) – mostlyinformed Sep 26 '15 at 07:09

1 Answers1

1

Can't comment yet, but will answer as well as I can w/o knowing more info about your setup in regards to the Company in Denver.

  1. That depends on what you mean by remote server. For the 95%, are you going to a web site and entering the credit card information, or are you using remote access tool (Remote Desktop, Logmein, Teamviewer, etc..) to connect to this machine in Denver?

Will need more information on this question to give an better answer.

  1. PCI Questionnaires are by Merchant. Additional sites come into play, if all the sites are processing using the same merchant #. However, generally most PCI compliance scans are per merchant #, which usually is per site. Wal-Mart might have thousands of stores, but each store/site is a different merchant #, and each store would do it's own questionnaire. You would want to talk to both IT departments about questions you will have during the questionnaire. Firewalls, passwords expiration, AV updates, and so on.

However, not knowing all the information about your setup with Denver makes it difficult to give an accurate answer.

  1. The question I can help you the most with as it can't really be any different regardless of how your setup between County and Denver is.

Any computer that processes a credit card over the internet, should be on a closed network. The only internet send/request that device should make is for processing credit cards. Exclusions for OS/Software/Antivirus/Firmware Updates/and some others. Basically, no browsing & no email should happen on those computers that process a credit card. Even if you have remote access to your computer that processes credit cards, that remote access should be turned off only when needed. There has to be 0 chance that an employee gets on the wrong website, clicks the wrong email, anything that could allow something to happen. Any other computers that are on the same network should not be browsing or emailing.

Analogy I give to customers about this is:

You can have a house that you've built a circular fence made of brick encompassing your house. The brick can't be climbed, however at one point in the brick there is a small hole where you can see through it. In PCI Compliance view. You failed.

For hotels/restaurants it can be difficult, but that's what it's supposed to be. Do all hotels & restaurants follow this procedure. No. They're supposed to. Generally all the credit card locations my company manages (over 100), have an office computer strictly for internet use. The computers for running credit card transactions are on a separate network with a firewall in place, and many security settings to only allow CC processing and nothing else. There are several sites that I manage, that either don't want to pay for security, or don't care. Those people sign a waiver, not holding my company liable.

Hope that helps somewhat, and apologize for not commenting first. If I can get more information on your setup with Denver, I will edit my answer.

N. Greene
  • 341
  • 2
  • 6
  • 95% are through a remote access tool connecting our machines to denver. The remote desktop does not give us access to the internet, only access to our software with them, which suggests to me that processing cards this way would be compliant. The 5% sounds like the problem child, as those are entered on my computer which has access to e-mail, web browsing, etc. It sounds like I need to talk to my director and IT staff about the feasibility of getting a tablet or something similar that could be locked down to only access our merchant website to process recurring transactions. – cmbrien Sep 28 '15 at 17:23
  • I'm still curious as the what program the 95% are using. Regardless, if you get a separate computer for credit card processing, it needs to be a different network than your office. There needs to be 0 way for any other computer inside your network to see/communicate with that credit card processing computer. – N. Greene Sep 28 '15 at 19:40