PCI DSS Compliance - limiting scope

PCI DSS Compliance - limiting scope

Author
Discussion

toddler

Original Poster:

1,245 posts

235 months

Tuesday 3rd March 2015
quotequote all
Hi All

I'm just starting to think about PCI DSS compliance, not something I have any experience of, and I'm looking for a bit of guidance.

We use Worldpay's Virtual Terminal (VT) to take credit/debit card payments over the phone. On average we take 3 card payments per month, usually from new customers who don't have a credit account yet. I'm the only person in the company who knows how to take card payments, and I'm the only one with the username and password.

Currently, on my PC, I logon to the Worldpay VT in Firefox, enter the mandatory details (card number, expiry date, amount, card holder's name and address, email address) and hit Go. Within a few minutes, I receive an email from Worldpay summarising the transaction (trans id, date, amount, cardholder's name and address). I don't print or store any cardholder details (other than the email from Worldpay).

We have a pretty small network of 20 PCs and 4 servers, but it's a flat network, with a single trusted LAN segment containing all PCs and servers. For the purposes of PCI DSS compliance, I would like to make the Cardholder Data Environment (CDE) as small as possible, ideally limited to just a single dedicated PC that is used only for taking card payments using the Worldpay VT.

After doing a bit of research, my initial thinking is to create a new zone ("PCI Zone") on a dedicated physical interface of our firewall, patch the dedicated PC directly into this interface, and use access rules to deny all network traffic between this new zone and the trusted LAN zone. My question is, from a PCI DSS compliance point of view, assuming access rules are configured correctly, would this be enough to isolate the single PC from the rest of the LAN such that my CDE includes just the dedicated PC and the firewall?

I know there are many other PCI DSS considerations around people, processes etc... but in the first instance, I'm thinking just about the technology issues.

Any advice would be greatly appreciated.


buggalugs

9,243 posts

236 months

Tuesday 3rd March 2015
quotequote all
I would say get a man in as that's been a successful strategy in the past both in terms of achieving compliance and using their knowledge of payment methods to streamline processes and reduce costs, but for three card payments a month it doesn't seem worth it.

I think the fines are proportional to the amount you process? Maybe work out what the fines would be before deciding what to do?

andy-xr

13,204 posts

203 months

Tuesday 3rd March 2015
quotequote all
Technology is just a part. An important part, but a part none the less.

I've always used Foregenix when it's come to this, they know what they're doing and they can get you ready. Most of it to be honest is mind change, taking away some of the old routines that can creep in

toddler

Original Poster:

1,245 posts

235 months

Tuesday 3rd March 2015
quotequote all
Thanks for the comments. Worldpay sent me a link to their SaferPayments scheme. I completed the profile wizard (18 basic questions), and based on my responses, it told me to complete Self Assessment Questionnaire SAQ C-vt. However, one of the requirements to complete SAQ C-vt is:

“Your company accesses the PCI DSS compliant virtual terminal solution via a computer that is
isolated in a single location, and is not connected to other locations or systems within your
environment (this can be achieved via a firewall or network segmentation to isolate the computer
from other systems)”

I was scratching my head trying to work out how Worldpay had determined that I met that requirement without acutally asking me anything about my network configuration, when I stumbled across this:

"The “isolation” is in the form of the use of HTTPS as the TLS key is provided by the transaction processor and your equipment cannot decrypt the data stream. According to the PCI SSC, encrypted communications is an acceptable form of network segmentation as long as the intermediate devices/systems cannot decrypt the communications." (https://pciguru.wordpress.com/mmiscellaneous-questions-page/#comment-39991)

So HTTPS=network segmentation. Whoda thunk it.

Anyway, SAQ C-vt it is. 74 questions of which Worldpay has helpfully answered 55 for me based on my profile responses. For example:

"1.2.1(a) Have you restricted inbound and outbound traffic to what is needed for your cardholder data environment?"

"1.2.1(b) Do you deny all other unauthorised inbound and outbound connections with your card environment?"

Worldpay has auto-answered "Yes" to both these questions for me. How the hell do they know? The profile wizard asked absolutely nothing about my network setup.

Anyway, rant over. Time for a beer and I'll look at it again tomorrow.



Bullett

10,873 posts

183 months

Tuesday 3rd March 2015
quotequote all
My involvement is that it is about the storage and transmission of the PAN and security codes. IF you don't store them and transmission to worldpay is via https then they sound like they are happy with your set up from an IT perspective.

Do you record calls? make sure you don't record card calls and also make sure customers don't email you card details.

Process and procedure is another thing again.

If in doubt you need to get a QSA in. Even major corporations disagree on what they can and can't do.

P924

1,272 posts

181 months

Tuesday 3rd March 2015
quotequote all
Yeah that should do it, though I'm guessing world pay will happily charge you £10 a month to be non compliant, in which case do it!!

ETA: you'll have to review firewall logs weekly, apply full change control to the firewall and the VT, etc, etc


Edited by P924 on Tuesday 3rd March 21:36

toddler

Original Poster:

1,245 posts

235 months

Tuesday 3rd March 2015
quotequote all
Bullett said:
My involvement is that it is about the storage and transmission of the PAN and security codes. IF you don't store them and transmission to worldpay is via https then they sound like they are happy with your set up from an IT perspective.

Do you record calls? make sure you don't record card calls and also make sure customers don't email you card details.

Process and procedure is another thing again.

If in doubt you need to get a QSA in. Even major corporations disagree on what they can and can't do.
We don't store cardholder data, record calls or receive cardholder data by email. A customer will phone me, give me their card details over the phone, I key them into the Worldpay virtual terminal and hit Go.

Haven't even started thinking about processes and procedures yet.

toddler

Original Poster:

1,245 posts

235 months

Tuesday 3rd March 2015
quotequote all
P924 said:
Yeah that should do it, though I'm guessing world pay will happily charge you £10 a month to be non compliant, in which case do it!!

ETA: you'll have to review firewall logs weekly, apply full change control to the firewall and the VT, etc, etc


Edited by P924 on Tuesday 3rd March 21:36
Is that an option? Just pay Worldpay their £10/month non-compliance fee and forget about it?

buggalugs

9,243 posts

236 months

Wednesday 4th March 2015
quotequote all
I have someone who was until recently paying £800 a month... yikes

Sounds like you're there anyway.

P924

1,272 posts

181 months

Wednesday 4th March 2015
quotequote all
From the OP, I'm assuming you would be Merchant Level 4 (Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.) In which case it's quite common for a £10 monthly charge for non compliance.




toddler

Original Poster:

1,245 posts

235 months

Wednesday 4th March 2015
quotequote all
P924 said:
From the OP, I'm assuming you would be Merchant Level 4 (Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.) In which case it's quite common for a £10 monthly charge for non compliance.
Yea, we're a Merchant Level 4. We've had a letter from Worldpay saying they'll be charging us £10/month non-compliance fee.

How long could we get away with just paying the fee before Worldpay insist we become compliant or close down our merchant account?