EdgeRouter X for small office with PCI compliance
-
For a small business with a few computers and two credit card machines, if you put in a EdgeRouter X, put the LAN on one port, and then then each credit card machine on it's own port and don't route between the two, can you skip all the PCI compliance questions about WEP/WPA2, computer patches, etc since the credit card machines are not on the same network?
PS. I know the EdgeRouter X is software based and not hardware, but it has more ports at a lower price point and I don't think the client would notice the performance difference.
-
I would think you'd be able to avoid the questions simply by stating (and providing proof) that nothing but the credit card machines are on their own network, that there is no wireless for them to be attacked via and that those networks are in fact secured.
Of course it means you'd have to maintain those individual networks and keep them secured / provide monitoring support etc.
-
@Mike-Davis said in EdgeRouter X for small office with PCI compliance:
PS. I know the EdgeRouter X is software based and not hardware, but it has more ports at a lower price point and I don't think the client would notice the performance difference.
It's hardware based as far as auditing is concerned. All routers are software under the hood. The EdgeRouter is no different. The EdgeRouter is exactly what people mean when they refer to hardware routing.
-
@Mike-Davis said in EdgeRouter X for small office with PCI compliance:
For a small business with a few computers and two credit card machines, if you put in a EdgeRouter X, put the LAN on one port, and then then each credit card machine on it's own port and don't route between the two, can you skip all the PCI compliance questions...
Yes, that is a dedicated network. Exactly the same as if you had gotten a dedicated link from the ISP to each piece of equipment. The ISP just has a router separating that traffic, same as you have here.
-
Why do you think you need a dedicated network for the credit card machines?
-
@JaredBusch said in EdgeRouter X for small office with PCI compliance:
Why do you think you need a dedicated network for the credit card machines?
It wasn't that he NEEDED one, he was wondering if it would be a simple solution.
-
@scottalanmiller said in EdgeRouter X for small office with PCI compliance:
@JaredBusch said in EdgeRouter X for small office with PCI compliance:
Why do you think you need a dedicated network for the credit card machines?
It wasn't that he NEEDED one, he was wondering if it would be a simple solution.
The simple solution is just to plug it into your land because there a hardware device and there's no vocal software to talk to them they create an encrypted tunnel out to their server and nothing else can be done to it so those hardware devices do not need network segregation
-
I'm sure you've filled out the PCI compliance form where they ask if your wifi is using WPA2 and all that. I'd like to be able to just rip down through the form and say N/A for everything. I agree that it's silly to think that it's more vulnerable on your LAN than going across the internet.
-
Most PCI complaint systems anymore are just encrypted readers, and SSL connection to the remote processor.
-
@Mike-Davis said in EdgeRouter X for small office with PCI compliance:
I'm sure you've filled out the PCI compliance form where they ask if your wifi is using WPA2 and all that. I'd like to be able to just rip down through the form and say N/A for everything. I agree that it's silly to think that it's more vulnerable on your LAN than going across the internet.
Wouldn't it be N/A in either case? What's the purpose of the PCI form if not for security?
-
@scottalanmiller said in EdgeRouter X for small office with PCI compliance:
@Mike-Davis said in EdgeRouter X for small office with PCI compliance:
I'm sure you've filled out the PCI compliance form where they ask if your wifi is using WPA2 and all that. I'd like to be able to just rip down through the form and say N/A for everything. I agree that it's silly to think that it's more vulnerable on your LAN than going across the internet.
Wouldn't it be N/A in either case? What's the purpose of the PCI form if not for security?
The purpose of the form is to shift liability. If you check that you're using WPA2, and credit card numbers are stolen, and they find out you were using WEP, you are liable.
-
@Mike-Davis said in EdgeRouter X for small office with PCI compliance:
@scottalanmiller said in EdgeRouter X for small office with PCI compliance:
@Mike-Davis said in EdgeRouter X for small office with PCI compliance:
I'm sure you've filled out the PCI compliance form where they ask if your wifi is using WPA2 and all that. I'd like to be able to just rip down through the form and say N/A for everything. I agree that it's silly to think that it's more vulnerable on your LAN than going across the internet.
Wouldn't it be N/A in either case? What's the purpose of the PCI form if not for security?
The purpose of the form is to shift liability. If you check that you're using WPA2, and credit card numbers are stolen, and they find out you were using WEP, you are liable.
Does that really shift liability in a case like this? If you say N/A and they find out that there was wifi, they will go after you in that case no matter what you checked.
-
@Mike-Davis said in EdgeRouter X for small office with PCI compliance:
@scottalanmiller said in EdgeRouter X for small office with PCI compliance:
@Mike-Davis said in EdgeRouter X for small office with PCI compliance:
I'm sure you've filled out the PCI compliance form where they ask if your wifi is using WPA2 and all that. I'd like to be able to just rip down through the form and say N/A for everything. I agree that it's silly to think that it's more vulnerable on your LAN than going across the internet.
Wouldn't it be N/A in either case? What's the purpose of the PCI form if not for security?
The purpose of the form is to shift liability. If you check that you're using WPA2, and credit card numbers are stolen, and they find out you were using WEP, you are liable.
How can it make you liable if you are using a self contained credit card machine. Those devices are not supposed to do anything if they fail to make their encrypted connection to the payment processing service.
You have self contained devices with no access to them in any way.
-
@JaredBusch said in EdgeRouter X for small office with PCI compliance:
@Mike-Davis said in EdgeRouter X for small office with PCI compliance:
@scottalanmiller said in EdgeRouter X for small office with PCI compliance:
@Mike-Davis said in EdgeRouter X for small office with PCI compliance:
I'm sure you've filled out the PCI compliance form where they ask if your wifi is using WPA2 and all that. I'd like to be able to just rip down through the form and say N/A for everything. I agree that it's silly to think that it's more vulnerable on your LAN than going across the internet.
Wouldn't it be N/A in either case? What's the purpose of the PCI form if not for security?
The purpose of the form is to shift liability. If you check that you're using WPA2, and credit card numbers are stolen, and they find out you were using WEP, you are liable.
How can it make you liable if you are using a self contained credit card machine. Those devices are not supposed to do anything if they fail to make their encrypted connection to the payment processing service.
You have self contained devices with no access to them in any way.
Right... if the unit is supposed to be secured and they blame you for having had WPA somewhere, they would blame you if anyone on your same ISP, or really anyone on the Internet, had WPA somewhere!
-
I don't know how the credit card industry works. All I know is that for the clients of mine that use a PoS and the ones that have a IP based credit card machine, they both get sent the same form. For the PoS running on Windows, I totally understand. For the self contained machine, it makes no sense.
-
@Mike-Davis said in EdgeRouter X for small office with PCI compliance:
I don't know how the credit card industry works. All I know is that for the clients of mine that use a PoS and the ones that have a IP based credit card machine, they both get sent the same form. For the PoS running on Windows, I totally understand. For the self contained machine, it makes no sense.
That is just auditors being auditors.
-
@Mike-Davis said in EdgeRouter X for small office with PCI compliance:
I don't know how the credit card industry works. All I know is that for the clients of mine that use a PoS and the ones that have a IP based credit card machine, they both get sent the same form. For the PoS running on Windows, I totally understand. For the self contained machine, it makes no sense.
But our point is that you want to fill in N/A in one case but not in another, but it is N/A equally for both cases, right? Why is one a N/A and one not?
-
@JaredBusch said in EdgeRouter X for small office with PCI compliance:
@Mike-Davis said in EdgeRouter X for small office with PCI compliance:
I don't know how the credit card industry works. All I know is that for the clients of mine that use a PoS and the ones that have a IP based credit card machine, they both get sent the same form. For the PoS running on Windows, I totally understand. For the self contained machine, it makes no sense.
That is just auditors being auditors.
And if these are third party auditors, normally they don't know what they are doing. We've had PCI Auditors certify that there were firewalls in place where none existed and it was obvious just asking the question about what was running. I caught them by accident and then demonstrated that they had made up the answers because they didn't know how the networking works.
-
I hate that we do CC through a website instead of a piece of hardware.... Makes it a lot harder to "comply"
