[lug] Letting folks pay from the web.

Tue Feb 2 14:11:23 MST 2010

On Mon, 2010-02-01 at 09:57 -0700, Landon Cox wrote:

> Good points, Bear.  When you read the PCI, the IT stuff is pretty
> broad and general - stuff like "run virus protection" on your
> systems.  They're definitely not prescriptive, I suppose
> intentionally, because they can't tell you how to run your stuff.

I'm really encouraged by the respect for the seriousness of PCI
compliance demonstrated by posters in this thread.  Unfortunately
because of how PCI is defined and communicated I believe much of the
rest of the world fails to understand the risks and the need for
implementing secure measures.

Two years ago while running a restaurant I received word from our credit
card processor that we needed to become PCI compliant and that if we
failed to do so our account would be disabled.  As an admin with respect
for security issues, I took this seriously from the start.

Part of this process was reviewing our MICROS point of sale system and
finding that it was an older version that was not PCI compliant.  Why?
Because it stored credit card information completely unencrypted in a
standard Sybase SQL database.  Steal my hardware or one of my system
backup cdroms, play with some basic SQL and you've got thousands of
credit card numbers.  Thankfully, the worst part of upgrading the MICROS
system was dealing with the management of the local MICROS reseller.

After doing such, we went to the web site of a company that does PCI
compliance to perform a web-based self-assessment.  The website remotely
did an nmap style scan of our IP address to determine if we had ports
and services open and several firewalls I installed allowed us to pass
that easily.  As Landon suggests above, other requirements were vague
and not very challenging.  We answered a variety of questions like "What
version of MICROS are you using" (which they verified was now secure),
"Do you have firewalls on your network", and "Do you have anti-virus
software installed."

Of all the potential challenges, that last question provided the most
difficulty because our software was out of date and couldn't be
upgraded.  Our host OS was Windows 2000 and the major folks like Norton
don't want to support that anymore.  Eventually I found somebody but I
can see others in that same position giving up prematurely.

The whole experience was one that made me far less comfortable about
where my credit card number goes even when given to reputable
businesses.  I'm glad there are professionals like the posters on this
list that get it and glad we have laws to protect consumers from people
who don't get it and allow their systems to operate insecurely. 

-- 
Maxwell Spangler