partpricer
02-22-2009, 09:51 AM
In our business we use an application for retail POS system for some of our quickserve food outlets. We have run across an issue that we need to address and I could use some guidance.
We take PCI compliance very seriously and have our environments tightly locked down. The POS system runs in its own firewalled security zone with the only allowed connection outbound to our payment processor via SSL v3 connection to a specific IP. This is done through a proxy. There are no inbound connections allowed.
Now, the other day all of our credit and debit card transactions were failing. We went in and looked at the firewalls and saw that the connection to the processor was initiating correctly whenever a payment card transaction was attempted, but there was nothing being sent. We then turned to look at the application since nothing had changed in our security environment.
To make a long story short, after some extensive investigation we have found that this application periodically "phones home" to make sure that our license is up to date and valid. However, it initiates an outbound connection on port 80 to the developer's host site to accomplish this. Since we block all connections out of this zone other than the one mentioned above, the connection was failing and after a period of time, the application crippled itself. In an effort to maintain a revenue stream for our business and keep our customers happy, I briefly allowed outbound connections on port 80 from this zone. We saw a quick connection to the developer's site, then our payment card transactions started processing. We blocked port 80 again and the transactions continue to process. But, we don't know for how long.
Now, if we are required by the developer to connect to a server on port 80 to periodically validate a license, is this is in violation of PCI requirement 1.2.1 which states "Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment”? I don't see how a software license validation is necessary to the cardholder environment other than maintaining the functionality of the software and the revenue stream for the developer. Especially on port 80 since it establishes an insecure connection.
I've got a call with the vendor on Monday. But, I'd be interested in hearing some opinions from this group before that session. The vendor claims that their package meets all Payment Application Best Practices (PABP) guidelines.
We take PCI compliance very seriously and have our environments tightly locked down. The POS system runs in its own firewalled security zone with the only allowed connection outbound to our payment processor via SSL v3 connection to a specific IP. This is done through a proxy. There are no inbound connections allowed.
Now, the other day all of our credit and debit card transactions were failing. We went in and looked at the firewalls and saw that the connection to the processor was initiating correctly whenever a payment card transaction was attempted, but there was nothing being sent. We then turned to look at the application since nothing had changed in our security environment.
To make a long story short, after some extensive investigation we have found that this application periodically "phones home" to make sure that our license is up to date and valid. However, it initiates an outbound connection on port 80 to the developer's host site to accomplish this. Since we block all connections out of this zone other than the one mentioned above, the connection was failing and after a period of time, the application crippled itself. In an effort to maintain a revenue stream for our business and keep our customers happy, I briefly allowed outbound connections on port 80 from this zone. We saw a quick connection to the developer's site, then our payment card transactions started processing. We blocked port 80 again and the transactions continue to process. But, we don't know for how long.
Now, if we are required by the developer to connect to a server on port 80 to periodically validate a license, is this is in violation of PCI requirement 1.2.1 which states "Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment”? I don't see how a software license validation is necessary to the cardholder environment other than maintaining the functionality of the software and the revenue stream for the developer. Especially on port 80 since it establishes an insecure connection.
I've got a call with the vendor on Monday. But, I'd be interested in hearing some opinions from this group before that session. The vendor claims that their package meets all Payment Application Best Practices (PABP) guidelines.