EdgeRouter X for small office with PCI compliance

Mike Davis

I'm sure you've filled out the PCI compliance form where they ask if your wifi is using WPA2 and all that. I'd like to be able to just rip down through the form and say N/A for everything. I agree that it's silly to think that it's more vulnerable on your LAN than going across the internet.

Jason

Most PCI complaint systems anymore are just encrypted readers, and SSL connection to the remote processor.

scottalanmiller

@Mike-Davis said in EdgeRouter X for small office with PCI compliance:

I'm sure you've filled out the PCI compliance form where they ask if your wifi is using WPA2 and all that. I'd like to be able to just rip down through the form and say N/A for everything. I agree that it's silly to think that it's more vulnerable on your LAN than going across the internet.

Wouldn't it be N/A in either case? What's the purpose of the PCI form if not for security?

Mike Davis

@scottalanmiller said in EdgeRouter X for small office with PCI compliance:

@Mike-Davis said in EdgeRouter X for small office with PCI compliance:

I'm sure you've filled out the PCI compliance form where they ask if your wifi is using WPA2 and all that. I'd like to be able to just rip down through the form and say N/A for everything. I agree that it's silly to think that it's more vulnerable on your LAN than going across the internet.

Wouldn't it be N/A in either case? What's the purpose of the PCI form if not for security?

The purpose of the form is to shift liability. If you check that you're using WPA2, and credit card numbers are stolen, and they find out you were using WEP, you are liable.

scottalanmiller

@Mike-Davis said in EdgeRouter X for small office with PCI compliance:

@scottalanmiller said in EdgeRouter X for small office with PCI compliance:

@Mike-Davis said in EdgeRouter X for small office with PCI compliance:

I'm sure you've filled out the PCI compliance form where they ask if your wifi is using WPA2 and all that. I'd like to be able to just rip down through the form and say N/A for everything. I agree that it's silly to think that it's more vulnerable on your LAN than going across the internet.

Wouldn't it be N/A in either case? What's the purpose of the PCI form if not for security?

The purpose of the form is to shift liability. If you check that you're using WPA2, and credit card numbers are stolen, and they find out you were using WEP, you are liable.

Does that really shift liability in a case like this? If you say N/A and they find out that there was wifi, they will go after you in that case no matter what you checked.

JaredBusch

@Mike-Davis said in EdgeRouter X for small office with PCI compliance:

@scottalanmiller said in EdgeRouter X for small office with PCI compliance:

@Mike-Davis said in EdgeRouter X for small office with PCI compliance:

I'm sure you've filled out the PCI compliance form where they ask if your wifi is using WPA2 and all that. I'd like to be able to just rip down through the form and say N/A for everything. I agree that it's silly to think that it's more vulnerable on your LAN than going across the internet.

Wouldn't it be N/A in either case? What's the purpose of the PCI form if not for security?

The purpose of the form is to shift liability. If you check that you're using WPA2, and credit card numbers are stolen, and they find out you were using WEP, you are liable.

How can it make you liable if you are using a self contained credit card machine. Those devices are not supposed to do anything if they fail to make their encrypted connection to the payment processing service.

You have self contained devices with no access to them in any way.

scottalanmiller

@JaredBusch said in EdgeRouter X for small office with PCI compliance:

@Mike-Davis said in EdgeRouter X for small office with PCI compliance:

@scottalanmiller said in EdgeRouter X for small office with PCI compliance:

@Mike-Davis said in EdgeRouter X for small office with PCI compliance:

I'm sure you've filled out the PCI compliance form where they ask if your wifi is using WPA2 and all that. I'd like to be able to just rip down through the form and say N/A for everything. I agree that it's silly to think that it's more vulnerable on your LAN than going across the internet.

Wouldn't it be N/A in either case? What's the purpose of the PCI form if not for security?

The purpose of the form is to shift liability. If you check that you're using WPA2, and credit card numbers are stolen, and they find out you were using WEP, you are liable.

How can it make you liable if you are using a self contained credit card machine. Those devices are not supposed to do anything if they fail to make their encrypted connection to the payment processing service.

You have self contained devices with no access to them in any way.

Right... if the unit is supposed to be secured and they blame you for having had WPA somewhere, they would blame you if anyone on your same ISP, or really anyone on the Internet, had WPA somewhere!

Mike Davis

I don't know how the credit card industry works. All I know is that for the clients of mine that use a PoS and the ones that have a IP based credit card machine, they both get sent the same form. For the PoS running on Windows, I totally understand. For the self contained machine, it makes no sense.

JaredBusch

@Mike-Davis said in EdgeRouter X for small office with PCI compliance:

I don't know how the credit card industry works. All I know is that for the clients of mine that use a PoS and the ones that have a IP based credit card machine, they both get sent the same form. For the PoS running on Windows, I totally understand. For the self contained machine, it makes no sense.

That is just auditors being auditors.

scottalanmiller

@Mike-Davis said in EdgeRouter X for small office with PCI compliance:

I don't know how the credit card industry works. All I know is that for the clients of mine that use a PoS and the ones that have a IP based credit card machine, they both get sent the same form. For the PoS running on Windows, I totally understand. For the self contained machine, it makes no sense.

But our point is that you want to fill in N/A in one case but not in another, but it is N/A equally for both cases, right? Why is one a N/A and one not?

scottalanmiller

@JaredBusch said in EdgeRouter X for small office with PCI compliance:

@Mike-Davis said in EdgeRouter X for small office with PCI compliance:

I don't know how the credit card industry works. All I know is that for the clients of mine that use a PoS and the ones that have a IP based credit card machine, they both get sent the same form. For the PoS running on Windows, I totally understand. For the self contained machine, it makes no sense.

That is just auditors being auditors.

And if these are third party auditors, normally they don't know what they are doing. We've had PCI Auditors certify that there were firewalls in place where none existed and it was obvious just asking the question about what was running. I caught them by accident and then demonstrated that they had made up the answers because they didn't know how the networking works.

Dashrender

I hate that we do CC through a website instead of a piece of hardware.... Makes it a lot harder to "comply"