ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    EdgeRouter X for small office with PCI compliance

    Scheduled Pinned Locked Moved Solved IT Discussion
    19 Posts 6 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Mike DavisM
      Mike Davis
      last edited by

      I'm sure you've filled out the PCI compliance form where they ask if your wifi is using WPA2 and all that. I'd like to be able to just rip down through the form and say N/A for everything. I agree that it's silly to think that it's more vulnerable on your LAN than going across the internet.

      scottalanmillerS 1 Reply Last reply Reply Quote 1
      • J
        Jason Banned
        last edited by

        Most PCI complaint systems anymore are just encrypted readers, and SSL connection to the remote processor.

        1 Reply Last reply Reply Quote 1
        • scottalanmillerS
          scottalanmiller @Mike Davis
          last edited by

          @Mike-Davis said in EdgeRouter X for small office with PCI compliance:

          I'm sure you've filled out the PCI compliance form where they ask if your wifi is using WPA2 and all that. I'd like to be able to just rip down through the form and say N/A for everything. I agree that it's silly to think that it's more vulnerable on your LAN than going across the internet.

          Wouldn't it be N/A in either case? What's the purpose of the PCI form if not for security?

          Mike DavisM 1 Reply Last reply Reply Quote 0
          • Mike DavisM
            Mike Davis @scottalanmiller
            last edited by

            @scottalanmiller said in EdgeRouter X for small office with PCI compliance:

            @Mike-Davis said in EdgeRouter X for small office with PCI compliance:

            I'm sure you've filled out the PCI compliance form where they ask if your wifi is using WPA2 and all that. I'd like to be able to just rip down through the form and say N/A for everything. I agree that it's silly to think that it's more vulnerable on your LAN than going across the internet.

            Wouldn't it be N/A in either case? What's the purpose of the PCI form if not for security?

            The purpose of the form is to shift liability. If you check that you're using WPA2, and credit card numbers are stolen, and they find out you were using WEP, you are liable.

            scottalanmillerS JaredBuschJ 2 Replies Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @Mike Davis
              last edited by

              @Mike-Davis said in EdgeRouter X for small office with PCI compliance:

              @scottalanmiller said in EdgeRouter X for small office with PCI compliance:

              @Mike-Davis said in EdgeRouter X for small office with PCI compliance:

              I'm sure you've filled out the PCI compliance form where they ask if your wifi is using WPA2 and all that. I'd like to be able to just rip down through the form and say N/A for everything. I agree that it's silly to think that it's more vulnerable on your LAN than going across the internet.

              Wouldn't it be N/A in either case? What's the purpose of the PCI form if not for security?

              The purpose of the form is to shift liability. If you check that you're using WPA2, and credit card numbers are stolen, and they find out you were using WEP, you are liable.

              Does that really shift liability in a case like this? If you say N/A and they find out that there was wifi, they will go after you in that case no matter what you checked.

              1 Reply Last reply Reply Quote 0
              • JaredBuschJ
                JaredBusch @Mike Davis
                last edited by

                @Mike-Davis said in EdgeRouter X for small office with PCI compliance:

                @scottalanmiller said in EdgeRouter X for small office with PCI compliance:

                @Mike-Davis said in EdgeRouter X for small office with PCI compliance:

                I'm sure you've filled out the PCI compliance form where they ask if your wifi is using WPA2 and all that. I'd like to be able to just rip down through the form and say N/A for everything. I agree that it's silly to think that it's more vulnerable on your LAN than going across the internet.

                Wouldn't it be N/A in either case? What's the purpose of the PCI form if not for security?

                The purpose of the form is to shift liability. If you check that you're using WPA2, and credit card numbers are stolen, and they find out you were using WEP, you are liable.

                How can it make you liable if you are using a self contained credit card machine. Those devices are not supposed to do anything if they fail to make their encrypted connection to the payment processing service.

                You have self contained devices with no access to them in any way.

                scottalanmillerS 1 Reply Last reply Reply Quote 1
                • scottalanmillerS
                  scottalanmiller @JaredBusch
                  last edited by

                  @JaredBusch said in EdgeRouter X for small office with PCI compliance:

                  @Mike-Davis said in EdgeRouter X for small office with PCI compliance:

                  @scottalanmiller said in EdgeRouter X for small office with PCI compliance:

                  @Mike-Davis said in EdgeRouter X for small office with PCI compliance:

                  I'm sure you've filled out the PCI compliance form where they ask if your wifi is using WPA2 and all that. I'd like to be able to just rip down through the form and say N/A for everything. I agree that it's silly to think that it's more vulnerable on your LAN than going across the internet.

                  Wouldn't it be N/A in either case? What's the purpose of the PCI form if not for security?

                  The purpose of the form is to shift liability. If you check that you're using WPA2, and credit card numbers are stolen, and they find out you were using WEP, you are liable.

                  How can it make you liable if you are using a self contained credit card machine. Those devices are not supposed to do anything if they fail to make their encrypted connection to the payment processing service.

                  You have self contained devices with no access to them in any way.

                  Right... if the unit is supposed to be secured and they blame you for having had WPA somewhere, they would blame you if anyone on your same ISP, or really anyone on the Internet, had WPA somewhere!

                  Mike DavisM 1 Reply Last reply Reply Quote 1
                  • Mike DavisM
                    Mike Davis @scottalanmiller
                    last edited by

                    I don't know how the credit card industry works. All I know is that for the clients of mine that use a PoS and the ones that have a IP based credit card machine, they both get sent the same form. For the PoS running on Windows, I totally understand. For the self contained machine, it makes no sense.

                    JaredBuschJ scottalanmillerS 2 Replies Last reply Reply Quote 0
                    • JaredBuschJ
                      JaredBusch @Mike Davis
                      last edited by

                      @Mike-Davis said in EdgeRouter X for small office with PCI compliance:

                      I don't know how the credit card industry works. All I know is that for the clients of mine that use a PoS and the ones that have a IP based credit card machine, they both get sent the same form. For the PoS running on Windows, I totally understand. For the self contained machine, it makes no sense.

                      That is just auditors being auditors.

                      scottalanmillerS 1 Reply Last reply Reply Quote 1
                      • scottalanmillerS
                        scottalanmiller @Mike Davis
                        last edited by

                        @Mike-Davis said in EdgeRouter X for small office with PCI compliance:

                        I don't know how the credit card industry works. All I know is that for the clients of mine that use a PoS and the ones that have a IP based credit card machine, they both get sent the same form. For the PoS running on Windows, I totally understand. For the self contained machine, it makes no sense.

                        But our point is that you want to fill in N/A in one case but not in another, but it is N/A equally for both cases, right? Why is one a N/A and one not?

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @JaredBusch
                          last edited by

                          @JaredBusch said in EdgeRouter X for small office with PCI compliance:

                          @Mike-Davis said in EdgeRouter X for small office with PCI compliance:

                          I don't know how the credit card industry works. All I know is that for the clients of mine that use a PoS and the ones that have a IP based credit card machine, they both get sent the same form. For the PoS running on Windows, I totally understand. For the self contained machine, it makes no sense.

                          That is just auditors being auditors.

                          And if these are third party auditors, normally they don't know what they are doing. We've had PCI Auditors certify that there were firewalls in place where none existed and it was obvious just asking the question about what was running. I caught them by accident and then demonstrated that they had made up the answers because they didn't know how the networking works.

                          1 Reply Last reply Reply Quote 1
                          • DashrenderD
                            Dashrender
                            last edited by

                            I hate that we do CC through a website instead of a piece of hardware.... Makes it a lot harder to "comply"

                            1 Reply Last reply Reply Quote 1
                            • 1 / 1
                            • First post
                              Last post