Verizon Broadband card PCI compliant?

[olympic]

I'm assisting with the design of a network for a client. The network as currently designed has some wireless in place to remote ticket booths. The plan is to use WPA2 (rather than WEP) to meet PCI compliance.

There is one ticket booth though that will be very difficult to get wireless to on their network. Now, the ticketing application is a remote hosted solution that is web based. As a result, that ticket booth doesn't have to be on the facilities network, rather it just needs an internet connection.

These ticket booths will use a usb card swiper that is used to swipe customer credit cards which talks to the ticketing system java application which in turn creates a typical SSL (port 443) connect to the secure payment gateway to process the card.

The question I have is whether we could just use something like a verizon broadband data card in the laptop that is running in that ticket booth for it's internet connection. I wasn't sure what type of security the big wireless data providers like Verizon are using, and whether we could be PCI compliant by just using a verizon broadband data card at this ticket booth for internet connect.

Thanks in advance for the assistance!

[alphonze]

The broadband card would act just like any other Internet connection: i.e. you must assume it is insecure by definition. Fortunately, you're using SSL, so the security is being handled at a different layer. That means that DSS requirement 4.1.1 is irrelevant (you're not using a wireless LAN) and you're compliant with requirement 4.1, which covers Internet, GSM, GPRS etc.

[lyalc]

As long as the other network controls (firewall, logging, vulnerability scans and so on are in place as well, there is no reason not to use a wireless broadband card - other than perhaps link reliability (not a PCI issue, tho).

lyalc

[olympic]

Thank you Alphonze and lyalc for your responses.

Let me take this a step further. At this remote ticket booth, we not only need the laptop internet connected so we can run the credit card swipe over SSL and then record the sale into a remote web hosted ticketing database, we need to extend wireless to a nearby handheld wi-fi scanner so that once the ticket is printed, it can be scanned.

I'm thinking that perhaps we can use something like the verizon wireless card and feed that into a router (rather than direct into the laptop) and hang an access point off that and use WPA2 for the handheld wireless scanner to connect to.

Is there any issue with that type of setup?

The handheld scanner which would likely be either 802.11b or g will be in close proximity to the access point, and rather than WEP we could use WPA2. The handheld scanner is just recording the fact that the ticket entered the venue.

Thoughts? Thank you.

[jbhall56]

As I understand your configuration, you would be using the notebook now as a router as well as a terminal which would concern me.

A better solution IMHO would be to get a router with wireless 802.11i capability AND cellular capability. I know I've seen such units out there. I would use WPA2 on the 802.11 link and then SSL and VPN on the cellular link.

We have a client that operates cellular based ATMs at a auto racetrack. They use SSL to encrypt the link from endpoint to endpoint, then use a VPN to encrypt the transmission of data from the ATM application to the ATM gateway in their data center.

[olympic]

thanks for the responses. Digging a bit deeper into this remote ticket booth we have determined that we can get a phone line to and surprisingly, DSL.

So, we have a hard wire option. I'm not a PCI guru by any stretch, so I sincerely appreciate the guidance from all of you.

I would like to know for each of these two possible options, what is needed to be PCI compliant:

1) We utilize a DSL line. We plug the DSL modem directly into a laptop. The laptop has a usb card swiper attached to it. The laptop runs a java application that accepts the card swipe data and makes an SSL request to the payment gateway. No card data information is stored on the laptop, results of the transaction are stored in a ticketing vendor web database that is PCI compliant. A successful response from the payment gateway results in ticket print. For the ticket scan, we may be able to use a usb tethered reader to avoid any wireless network.

Will #1 above be PCI complaint? Will a software based firewall be sufficient or do we need to first go into a router/firewall and then plug into that?

Will any scans need to be run against a laptop that is only swiping card data?

2) Again a DSL line but this time into a firewall/router and then have the laptop with the card swiper plugged into that. An access point utilizing WPA2 would be plugged into the router so that a wireless ticket scanner using WPA2 could be used for the scanning.

I'm trying to understand the minimum hardware/configuration requirements to just use a stand alone DSL line for the internet connect at this booth and make sure we are PCI compliant.

A sincere thanks to everyone for the assistance!

[jbhall56]

I would recommend using a basic, SOHO firewall . That would provide you with a four port switch and protection from the Internet.

The SSL/TLS connection to your processor should be fine as long as you are sure the level of encryption is sufficient.

I would make sure that the application you are using is certified if you purchased it. Ir you wrote it, I would make sure that you have reviewed it against the PA-DSS to ensure it is aligned with that standard.