When XP sunsets soon I will be replacing my operating system on my BOH with either an embedded type operating system or Windows 7. I can think of no other way around it to maintain PCI/DSS compliance
If anyone can spell out a set of compensating controls to keep XP compliant for ALOHABOH I would love to hear them.
Now for my terminals I will stick with XP. My terminals are as locked down as you can get. There is only one subnet that they can talk to ALOHABOH and other Terminals, there is NO INTERNET ACCESS POSSIBLE, Terminals are only accessed via mag card. No flavor of .net runs on the terminals. RealVNC is the only way to access them other than hooking up a keyboard or mouse and I could probably make that impossible. RealVNC is encrypted. (I could get rid of VNC but that would be a pain) Explorer.exe does not run on the machine so even with a keyboard about the only thing you might be able to access is the dos prompt (the shell is basically cmd /c ibercfg.bat) The only cardholder environment on the FOH is in the encrypted trans log and that gets securely erased everyday by aloha. There is no page file.
So as far as PCI compliance is concerned I think I have my terminals covered via compensating controls
I would be interested to hear from anyone who thinks I am not compliant with a win7 ALOHABOH and terminals as I have described.
Also, once again I would be interested in anyone's ideas about keeping XP on the BOH too and what could be done as a compensating control to keep that compliant.
If anyone can spell out a set of compensating controls to keep XP compliant for ALOHABOH I would love to hear them.
Now for my terminals I will stick with XP. My terminals are as locked down as you can get. There is only one subnet that they can talk to ALOHABOH and other Terminals, there is NO INTERNET ACCESS POSSIBLE, Terminals are only accessed via mag card. No flavor of .net runs on the terminals. RealVNC is the only way to access them other than hooking up a keyboard or mouse and I could probably make that impossible. RealVNC is encrypted. (I could get rid of VNC but that would be a pain) Explorer.exe does not run on the machine so even with a keyboard about the only thing you might be able to access is the dos prompt (the shell is basically cmd /c ibercfg.bat) The only cardholder environment on the FOH is in the encrypted trans log and that gets securely erased everyday by aloha. There is no page file.
So as far as PCI compliance is concerned I think I have my terminals covered via compensating controls
I would be interested to hear from anyone who thinks I am not compliant with a win7 ALOHABOH and terminals as I have described.
Also, once again I would be interested in anyone's ideas about keeping XP on the BOH too and what could be done as a compensating control to keep that compliant.