Our PCI consultant has stated we need to lock down our virtual terminals as they transfer credit card informaton. The workstations should be on a separate network and be for card processing use only. Currently users just pull up a website, but now we will need to reduce the number of workstations as they cannot use other applications on the workstations (single use) or put 2 workstations on their desks! Does anyone have a better solution? I'm still trying to figure out why this is a more secure model...

Thx

HO

In order to give you a reasonable answer, I have a couple of questions.

- When you say card processing, are we talking one credit card transaction at a time or bulk processing of lots of transactions at a time?
- Do these users have access to bulk credit card data? Are they able to see the full PAN or other sensitive information?
- Does the browser-based application run over an SSL connection? I'm assuming it's an internal use only application.
- Are we talking all thin client terminals, all PCs or a mix? If you have PCs, are they running current OSes or older OSes that are no longer supported such as Windows ME or Windows 95?

I think it's possible that your PCI assessor might be over-reacting, but without additional information, it will be hard to give you and answer.

Are they VM's as in "Virtual Machines"? or are they a Secured WebSite? The difference is significant. A true VM is a separate Operating System, Applications etc. running in a hosted system. The VM runs in separate memory space, utilizes separate clockcycles etc. If this is a Web Page going to a secure site, it is not a VM. If the computer has access to email, Internet and other applications it is very possible for that machine to become compromised with a BOT, keylogger etc. Therefore anything that is entered in on that machines keyboard or swiped via card reader, could be compromised as well. In this case i agree with your assessor, the machine that is entering CC information whether it be single entry or bulk would be subject to the DSS and should be locked down and protected. In an office environment where that company is responsible for the protection of it's customers CC info this is a logical and prudent step.

Currently these are multi-use workstations with up to date patches, virus protection, etc. They open a browser (SSL) to process payments through a buy page one at a time. They have no access to cc# other than the typical mail/phone/fax scenario. I see the logic for locking down these machines, but the solution is to consolidate. This means more PAPER storage of data and a longer retention time. For example, currently they can take a phone order, put it in and there is no paper record. New system, they must write down cc#, move paper to consolidated workstation, then process, and destroy. My point is that this is now less secure. If anyone has a magic bullet on how to make processing convenient again, let me know!

thx,

HO

Currently these are multi-use workstations with up to date patches, virus protection, etc. They open a browser (SSL) to process payments through a buy page one at a time. They have no access to cc# other than the typical mail/phone/fax scenario. I see the logic for locking down these machines, but the solution is to consolidate. This means more PAPER storage of data and a longer retention time. For example, currently they can take a phone order, put it in and there is no paper record. New system, they must write down cc#, move paper to consolidated workstation, then process, and destroy. My point is that this is now less secure. If anyone has a magic bullet on how to make processing convenient again, let me know!

thx,

HO

Ok so they are not Virtual terminals! They are user workstations that I assume have access to the Internet? If so and they are handling CC#'s whether it be phone, fax or carrier pigeon, they are in scope and must therefore be protected.

Curious as to why there would need to be a longer retention period on paper just to enter this information on a protected workstation? there are retention requirements for both paper and electronic. The step of having to write down the number to enter on a secure workstation is not part of the retention standard. Put a shredder(crosscut) by the secure workstation. Enter number shred paper.

The longer retention would be to wait for 'your turn' to process a payment. Phone orders we don't write anything down, but will need to start. Fax/Mail/carrier pigeon you process payment, black out cc#, copy, shred original. I also had a question on network segmentation. Requirement 1.1.3 requires a firewall. Our consultant says this implies segmentation of the entire card processing environment. Anyone have experience with this?

HO

Okay, I think we're getting away from the original post.

Based on your answers thus far, I do not understand why your QSA told you that you need to have two systems on everyone's desk. What you describe is no different that any other standard PC-based processing environment. Unless your users have access to some application or physical data source that gives them uncontrolled access to cardholder data, the two workstation requirement, in my opinion, is bogus.

You are likely having a communication problem with your QSA and need to take a step back and try again to listen to what they are really telling you and why.

I think there is much more to this issue than can be provided in this forum and you need to work through this with your QSA. If you cannot work through it with your current QSA, then you may need to consider getting another QSA to work with your current QSA or replace your existing QSA with a QSA that you can work with.

Nope I think we're still on topic, the issue at hand is where does compliance start. in this case, the users are inputting credit card information (read other peoples credit cards not their own) Therefore the business assumes responsibilty for the customers number therefore the entire path of CC processing needs to be Compliant.

I've gone back and re-read all of the posts. Based on what I've read, this is the situation as I understand it, so correct me if I've mis-interpreted things.

We have traditional PCs on a network. These PCs have access to a variety of applications, one of which is a Web-based application that is used to process credit card orders. Personnel authorized to process credit card orders use this Web-based application to enter the order payments.

One thing that is missing in the posts is the security that surrounds the Web-based application. Are users 'automatically authorized' to access the Web application based on their network logon credentials or is there no security on the application? Do the users have to separately logon to the Web application regardless of the LAN logon? Are credentials to access the Web application properly authorized and approved?

Another thing not stated is when users are accessing this Web-based application do they inadvertently have access to all credit card data that has been entered?

Finally, is the Web application accessed using SSL, TLS or similar secure communication method?

The reason I'm asking is I'm still trying to understand your QSA's rationale for their comments. I hoping that the answers to these questions will clarify things.

My understanding, after reading this thread, is that the PC workstations used to process credit card transactions are part of a wider network. The "order processing" application is just one application run on the PCs on this network.

The QSA is possibly suggesting reducing risk and limiting the scope of PCI compliance by segregating the card processing environment from the rest of the business network. Rationale behind such a suggestion could be to reduce the compliance effort and audit scope for a company that has a small number of PC workstations processing credit card transactions, but a large number of connected devices (perhaps different operating systems in different locations). A compromise of a machine elsewhere on the network could result in access to credit card information stored, processed or transmitted in the "order processing" application. And yes Hodog, this segregation would be via a firewall with appropriate rules to restrict traffic to just that required.

That's just a guess, but would explain why the QSA would suggest segregating the card processing workstations.

Kelvin