Pci dss question

azadali77

Will do Thank you

azadali77

Here's a breakdown of the quote

1 x Business Class Router/Firewall @ £225 + VAT
2 x Orbits Hourly Labour @ £60 + VAT Each

Total Cost: £414 inc. VAT

bluesnake

is this just to install the router, configure the firewall and possibly set up a vpn, and change default passwords, or is this the quote for the whole solution excluding hardware? The router should be doable on two hours. Think it is a very competitive quote.

System

salfordfreddy wrote: »

If you're using BT broadband kit, you'll probably fail on that. Because if someone could gain access to your WiFi network, there would be nothing in between stopping them from getting to the area where card data is stored.

If you're talking about the BTWifi access point part which allows anyone on BT to access your Wifi then that statement is wrong. Whilst they access the wifi interface and the WAN interface on your router it is set up in such a way that they can't access anything connected to your LAN whether cabled or wireless.

azadali77

bluesnake wrote: »

is this just to install the router, configure the firewall and possibly set up a vpn, and change default passwords, or is this the quote for the whole solution excluding hardware? The router should be doable on two hours. Think it is a very competitive quote.

The problem is BT say the router is safe but worldpay want the networks segregated which BT cant do, so either way I have to pay for the router.

this is all the info in the quote. There's a cheaper option without the wifi enabled. I suppose I have to ask them if all of the above is included.
"Option 1 (WiFi Enabled – Recommended)
1 x Business Class Router/Firewall @ £225 + VAT
2 x Orbits Hourly Labour @ £60 + VAT Each

Total Cost: £414 inc. VAT

Orbits will liaise with the payment provider to ensure that the necessary compliance test is passed to the required standard."

bluesnake

to be honest I can see the documentation alone to take up 2 hours if not more. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf?agreement=true&time=1484591039430 The the quarterly wifi scan by an dci approved person about $250 a year - uk price ???. Half yearly checks on firewall. Then the is the maintenance, backups and configuration, and certificates.

I would either bypass dci by using an apple/android app and widgit that plugs onto mobile, or buy a service, or buy a reader that accepts a sim card. as there seems to be a good bit of time consuming bits and configuration associated, and for a small business may be too complicated and costly, both in time and money.

http://www.phonetransact.com/
http://www.payanywhere.com/
https://www.handpoint.com/

https://www.nerdwallet.com/blog/small-business/pos-systems-point-of-sale-restaurants/

azadali77

Thank you all for replying. this is getting even more complicated now.

I've got one more question. Does anyone know if I can go with another broadband company who could supply me with a secure router?

Just checked on Virgin broadband and they supply with a business grade(hitron) router. I'm going to give them a call in the morning and check if the router complies with PCI DSS. It might be cheaper in the long run.

bluesnake

Every ISP supplies a [STRIKE]crummy cheap[/STRIKE] cost effective router.

cisco, SonicWall, zyxell, Digi, bec technologies, and other do them. You will probably not get one for £50.

They are mini computers that handle network traffic and need to be especially set up for YOU. It is not something you pull out of the freezer and stick it in the microwave, like an oven-ready meal.

Here are some dss configuration notes, but for an 3.1 implementation, worth a read. http://bectechnologies.net/wordpress/wp-content/uploads/2015/12/BEC_PCI_DSS_3-1_Whitepaper_2015.pdf

Have you contacted your bank to see what they recommend?

Personally, I would contact http://www.draytek.co.uk/, but you have to be a techie to get this all working, though they may talk you through some of it.

A good option is in google to type pci dss uk approved scan vendor because these are the people that will be testing your configuration every quarter, and you do not want a solution that never get certified, fails or is unreliable. You probably want 3g/4g failover too?

That £414 quote was also very fair. I guess they see it as the supply, install and configuration of a new router, but you may expect the whole system to be configured for that price, but I could be wrong, phone them and give them the PCI DSS specs.

Also in year 2 these routers will most likely have a software update cost associated to them, possibly a break fix maintenance cost too and you need to find that out because that could be £100's.

Hitron might be a business router, but that does not mean it is PCI v3.2 compliant. If it is compliant, you have to find someone who can configure it, and the ISP will only be interested in the default set up and you are on your own for the rest.

For a small business this alternative sounds great, but again I do not know the operation cost. https://www.semafone.com/wp-content/uploads/2013/01/SEM-Whitepaper_UK_Content_LR.pdf

Also that the quote in the first post is a very small subsection of Guidance column of point 1.2.3, and there is much, much more to that.https://pcicompliance.stanford.edu/sites/default/files/pci_dss_v3-2.pdf

Interpreting the specs, '1.1.4 Requirements for a firewall at
each Internet connection and between any demilitarized zone (DMZ) and the internal network zone'

you have to have a firewall between you and the outside world. Internal network segregation is done via wifi encryption and ip ranges. So a minimum of 2 ranges: 1 for wifi reader traffic which is blocked by the firewall, and one for card processing which the firewall inspects and lets through. Possibly a third ip range for customer wifi? POS devices will have certificates too?

think you will need a fixed ip from the isp too