We are a small business with 3 stores connected via Hardware VPN using IPSEC and have no other incoming connections except 2 laptops that belong to employees and they require a specific software installed on them to connect to the VPN. I am the sole manager of all this equipment including the laptops. From what I can tell, we are a level 3 merchant. We have a single Windows Terminal Server and 12 workstations. Our POS software is fully self contained and lives on the server. According to the software company, it is in-and-of itself compliant. There is no way to access the POS software except through Remote Desktop and when my users connect, they only get the POS software. There is no other way to access the card holder data as it is stored in the POS software in an encrypted format. I have gone to great lengths to be sure that this data is visible only on a need-to-know basis. This was all set up before PCI/DSS was even heard of (going on 10 years). Everybody logs on to the workstations using a generic account since many of my users will use several workstations throughout the day, some even at different locations. When they connect to the terminal server they all have their own individual accounts. All processing is done on the TS as well. My question is are my workstations still under the scope of the standard or do I need to overhaul them and figure out how to force individual logins for them too? Roaming profiles are not an option since the POS software requires a specific variable to be set so that it know where it is running (workstation, store address and other information) and this cannot be done with users moving around from store to store.

PCI Data Security Standard: Implement Strong Access Control Measures
Requirement 8: Assign a unique ID to each person with computer access.

I think you'll agree that under any scenario, your company is at risk for non-compliance penalties if something were to go wrong. Have you brought this up with your POS provider? What you have is nice and was probably ahead of it's time when you created it, but it just doesn't go far enough today. My switch technology let's an administrator set up the individual id's, and what their permission levels are, regardless of where they are located. (Additionally, you can set anti-fraud protection such as refunds cannot be issued without a corresponding card match. ) It sounds like you have a nice closed loop solution so I'd ask your POS what the status of their development is on unique logins. Surely they must have it in the works? If not, maybe you can use a mix of existing technology and new technology like ours to achieve the same result.
Christine

Only the accounts on the workstations are generic. We use assigned IP addresses on every machine (no DHCP) and the firewall on the server is set up to only allow communications from that specific list of IP addresses.Every employee knows the password to log on to the workstation, but when they connect to the terminal server, they have to log on under their own credentials and then they are presented with yet another password entry. So that makes 3 passwords to use the software. Four on the laptops if they connect to the VPN remotely. I am currently exploring switching our Windows XP Home edition workstations over to Linux and using Likewise-Open to provide Active Directory support to enforce individual log ons to the workstations as well. From what I have seen thus far, this should work well. Only one major hurdle... We use PCCharge Payment Server to do the actual processing and that needs to run continuously. How can I accomplish this with 15 minute idle time limits and individual log ons?

Thanks for the clarification. Have you contacted PC Charge for that information? If they can't help you with a solution then call me.
If I correctly understand how your system works, you may be able to use my switch that will perform the same functions as you have with PC Charge, but it won't reside on your server (old school), thus eliminating the idle time/individual login problem. You'll be able to track every transaction and refund by user, and view reports of sales data across all entry points etc.

Thanks for the clarification. Have you contacted PC Charge for that information? If they can't help you with a solution then call me.
If I correctly understand how your system works, you may be able to use my switch that will perform the same functions as you have with PC Charge, but it won't reside on your server (old school), thus eliminating the idle time/individual login problem. You'll be able to track every transaction and refund by user, and view reports of sales data across all entry points etc.

What is this "switch" you are referring to? I guess I should state the fact that I have absolutely no budget to purchase any hardware or software at this time. The economy hasn't been very good to us this year but we are not throwing in the towel any time soon.

I was trying to avoid posting more specifics that might be against the forum rules. CenPOS payment processing (http://3dmerchant.com/blog/managing-payment-processing-costs/cenpos/) switch. You can run brick and mortar and ecommerce through the system. As long as there is no special programming needed (don't know your POS so can't say for sure), you'll pay basic gateway fees only. You can use your own processor, or switch if it makes financial sense. My phone number is on the web page link.

Thank you, I will look at it a little later today.

You need to get a service manual and check for "trouble codes". Not sure if that year model can be checked with a paper clip or if it requires a test module.