Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DSS PCI & Remote Access Programs

Status
Not open for further replies.

TobeThor

MIS
Jan 24, 2005
393
US
It was mentioned in another thread that only outbound traffic was allowed on a PC that handled credit card data. Is that is correct, how does that rule effect the use of programs like PCA, logmein and gotomypc to access the card holder PC remotely to perform routine daily maintenance?
 
Oh boy! I expect that this could become a lively discussion. First, let's look at the applicable PCI requirements:
1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment.
1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.
1.3.1 Implement a DMZ to limit inbound and outbound traffic to only protocols that are necessary for the cardholder data environment.
1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.
1.3.3 Do not allow any direct routes inbound or outbound for traffic between the Internet and the cardholder data environment.
1.3.4 Do not allow internal addresses to pass from the Internet into the DMZ.
1.3.5 Restrict outbound traffic from the cardholder data environment to the Internet such that outbound traffic can only access IP addresses within the DMZ.
8.3 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS); terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates.
These regulations say that you can access your cardholder data environment remotely, but it needs to be done in a very controlled fashion. By themselves, PCA, logmein and gotomypc don't cut it. The biggest area where they fall short is in regard to two-factor authentication. They don't have that provision built-in. Some people are using as the second authentication factor with those apps.

I've got to run right now. I'll revisit this a bit later.
 
Great response and I am looking forward to more.
The 1st question that pops into my head is; are the remote utilities mentioned PCA, logmein, gotomypc planning on releasing two-factor authentication? It would seem a logical step.
 
The way I use two factor authentication, is that our network is not visible from the internet. A VPN connection is required which requires authentication, then the resource to access the POS system requires another level of authentication. Plus, the use of strong passwords and password rotation.

Radiant's Command Center product (Formerly RDF) does use two factor authentication. You have a username and password that rotates, then you need a RSA key authentication. The RDF service at the location allows no incoming connections, and is only initiated via outbound requests, and also logs all your activity. So, for a support product, this works well. It doesn't cover all your security requirements though.

-My above explanations are a bit simplified.




MegabyteCoffee.com
 
Sorry, I just got back in.

Now, a big concern with using logmein and the like is that you are entrusting the credentials to access your network to a third party. If they get compromised, your environment is then exposed. Since these providers represent a goldmine of keys to many systems, their sites are high-value targets. You are placing yourself at their mercy. However, I would probably trust these folks to know more about security and take it more seriously than your typical small retailer.

Also, don't forget that PCI requires you to maintain logs of all access into your cardholder data environment for one year. If you use one of these third-party solutions, you must make sure that you can access logs from the provider as well as your own systems and make sure that they are time-synched and can be reconciled.

 
Routine maintenance is only part of the problem. OUr remote access requires a VPN to connect to our network and then the remote control requires windows authentication.

Vendor support is what got us stuck for a while. Micros uses PCI certified versions of Netsupport or Vigilix for their dial-in work. Thankfully most of our other vendors have started using WebEx sessions when they have to get in.
 
Routine maintenance is only part of the problem. OUr remote access requires a VPN to connect to our network and then the remote control requires windows authentication.

Unless I'm missing something, what you are doing is simply multiple instances of the same factor, username/password. The first instance is when you connect to your VPN, the second is your Windows authentication. You need to employ another factor. Something like smart tokens, biometrics, mag cards, phones, etc.


 
partptier is correct, vpn auth and windows auth are the same factor.
 
PcAnywhere below Ver 12 is not PCI Compliant and should not be used.

Logmein communicates on a secure port through the firewall and is considered by many as being secure.

A PCI-Compliant Hardware Firewall (such as the Sonicwall TZ180 which is endorsed by the PCI Council) is also strongly recommended. Basic consumer-grade router/firewall products are not considered secure.

Not mentioned is the PCI Council required Level 4 merchants so do a self-audit annually and submit it to their processor. The Self-Assessment questionnaire can be found at:
Quarterly, the merchant is supposed to have a PCI certified firm do intrusion testing on their network. Of course, the merchant bears the cost of all of this.

Qualys offers the merchant a lower cost was to tackle the two above tasks. They sell on an annual subscription a PC-based Self-Assessment Questionnaire and will do the quarterly intrusion testing of your network. They are PCI certified. What that means if you pass the Self-Assessment Questionnaire, they submit as an authorized testor representing your company. If you are deficient in any area, you can contact your local reseller for assistance or contact Qualys. For more information:
I hope that sheds a bit more light on this complex issue.

On a side note regarding PCI: I find it very interesting that the credit card companies set up their own "council" to establish security benchmarks. They have made the standard so complex that an average person cannot make heads or tails of it. More to the point: After years of racking in profits from fees and billons of dollars spent encouraging consumers to use credit cards on an very informal and insecure network, they are now in effect pushing the cost of doing business securely on the merchants. And on the off chance you get breached, the same company that is processing your credit cards has the right (given by who?) to charge your business into bankruptcy for this loss. What other vendor do you do business with that has the right to charge you if you don't do everything right there way? The relationship with the Credit Card processing company's has turned into a very odd thing. I often wonder today if it would be less expensive to purchase a MAC machine and take cash only at the POS?
 
I often wonder today if it would be less expensive to purchase a MAC machine and take cash only at the POS?
A MAC machine? You must be from the Philadelphia area. :)
And on the off chance you get breached, the same company that is processing your credit cards has the right (given by who?) to charge your business into bankruptcy for this loss.
You need to realize that compliance with the PCI-DSS standard is a contractual obligation that you agreed to when you signed your merchant agreement with your Acquirer. It is not being forced on you. You can do as you suggested above and only take cash for transactions. But, if you like offering your customers the convenience of using payment cards, you will pay for that service over and over.


However, I do not disagree with your sentiment. The PCI-DSS standard is dysfunctional at best. The merchant is paying for everything and we are the ones accepting all of the risk. Realize that Visa has never found a company that was breached to be PCI-compliant "at the time of the breach". That makes sense in a very odd fashion. But, it does nothing for us. We spent the money to become compliant to protect our customers, but also to protect our business entity from potential exposure. However, when we are breached, all of those protections we thought we had go right out the window when Visa, MC or other brand says, “You were not compliant at the time of the breach”. The money that we spent on insurance, bonds, etc. gets pissed away because they all state that we must be compliant.





 
Unless I'm missing something, what you are doing is simply multiple instances of the same factor, username/password. The first instance is when you connect to your VPN, the second is your Windows authentication. You need to employ another factor. Something like smart tokens, biometrics, mag cards, phones, etc.

Supposedly this is acceptable. Solutionary, the company we hired to bring us up to compliancy, set it up. I should have mentioned that we're not using a windows vpn. It's a monitored 3rd party system that's being hosted by Solutionary. The logon credentials for the vpn aren't the same as our windows logons and the MAC address has to be verified before it opens a connection.
 
Regarding the response that no one who is PCI Compliant has never been breached is not correct. I know of at least one instance in the past year where a site was PCI Compliant per the published standard but got breached. Everything I have learned is the PCI-DSS is a baseline for a minimum level of compliance.
 


Regarding the response that no one who is PCI Compliant has never been breached is not correct.
You misread my statement. I wrote the opposite:
Visa has never found a company that was breached to be PCI-compliant "at the time of the breach"
Companies that have been breached have never been found to be compliant









 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top