Pci dss question

azadali77

Hi,
I need some help with regards PCI DSS complaince. Bt( who is my broadband provider cant seem to answer this question). Can anyone tell me how I go about solving this problem. how do I check for this? any help would be greatly appreciated

"Are perimeter firewalls installed between all wireless networks and the cardholder data environment, and are these firewalls configured to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment?"

and this is the PCI council guidline
"Information
PCI Council Guidelines
The known (or unknown) implementation and exploitation of wireless technology within a network is a common path for malicious individuals to gain access to the network and cardholder data. If a wireless device or network is installed without the entity's knowledge, a malicious individual could easily and "invisibly" enter the network. If firewalls do not restrict access from wireless networks into the CDE, malicious individuals that gain unauthorized access to the wireless network can easily connect to the CDE and compromise account information.

Firewalls must be installed between all wireless networks and the CDE, regardless of the purpose of the environment to which the wireless network is connected. This may include, but is not limited to, corporate networks, retail stores, guest networks, warehouse environments, etc.

PCI Audit Procedures
Examine firewall and router configurations to verify that there are perimeter firewalls installed between all wireless networks and the cardholder data environment.

droopsnoot

I think you'd need to describe your configuration in some detail before anyone could clarify the requirements for you. Basically it's asking what you have between your wireless network and the network where card holder data is stored.

salfordfreddy

If you're using BT broadband kit, you'll probably fail on that. Because if someone could gain access to your WiFi network, there would be nothing in between stopping them from getting to the area where card data is stored.

agrinnall

I think you might need to consider paying somebody who understands PCI to assess your network and connection to determine if it is compliant. I assume this must be for business use, so it'll be a business expense.

azadali77

yes it's a restaurant business. I have spoken to an IT specialist and they have quoted £1200. does that seem about right to anyone? I dont know why BT cant provide that service to seperate the networks even if they charged for it

onomatopoeia99

If this is a restaurant, then do you have any need to store cardholder data (the section you quoted mentions this), rather than just processing cards with a terminal when people pay for their meals so you only have the information transiently (or indeed not at all if it's processed through the merchant supplied terminal and goes nowhere near your computer)?

If you are going to be storing card numbers, then you are going to need (at least) internal firewalls to segment your network to comply with the text you quoted.

In my workplace we don't store card numbers, online purchases are made using a form on the merchant's site to accept payment, so our site never sees the card number, and if someone makes a purchase over the phone then the number is typed directly into the online terminal on the merchant's site while they are still on the phone, it is never written down or stored on a computer. Doing it that way makes complying with PCI DSS much less work, because lots of it becomes "not applicable".

If you don't know the answers to any of the questions, then you really need to get professional advice.

azadali77

no we dont physically hold any credit card data. But saferpayment say because we are taking the payments via wifi we need to have the networks segregated on the router

Johnmcl7

azadali77 wrote: »

yes it's a restaurant business. I have spoken to an IT specialist and they have quoted £1200. does that seem about right to anyone? I dont know why BT cant provide that service to seperate the networks even if they charged for it

What does that quote breakdown to exactly?

salfordfreddy

Yes - find out what the quote is for. You could do this by purchasing a firewall and separate wifi access points for a few hundred quid.

azadali77

The quote is for hardware £628 and service £500.Just had another quote for £414 plus VAT. When I spoke to both companies they said that BT business hub dont comply with PCI and even BT have said to me that I have to get my own router if I want to comply.

If get a seperate wifi point would i have to get another router?

salfordfreddy

Yes you will as the BT Hub won't support the level of segregation that you need. That £414 quote looks good - get them to detail and break down the quote and I'm sure we can give you further advice.

Regards