Jump to content
Why are we here ..... Read more... ×
  • 0
Mark Sollis

The Long Hard Road

Question

Well

 

We have officially started our PCI journey and thought I'd open up the Forum posts with a general Topic on PCI DSS Compliance - a hot topic at the Open GI User Group Members day.

 

Every business that stores, processes or transmits Credit Card data is subject to scrutiny and potentially a big fine for any compliance breach proven. It's a big subject but easily tackled with some forethought and understanding of what is required and what priority should be applied in what areas

 

So, as well as sharing some personal experiences here, I'm happy to invite comment, thought and opinion from PCI novices and experts alike - for the benefit of Forum users

 

As a starter for 10 - here is a link to the PCI Security Standards Council Site with lots of info to get you started along with a useful Quick Reference Guide which explains all about PCI DSS in 32 (yes 32!) pages - Happy reading!

 

If you have any questions, come back and ask away or if you have stories of your own then why not share them here as well

 

Look out for more updates from me over the next few months as I ease our way through the PCI DSS manual - with a little help from some friends :)

Share this post


Link to post
Share on other sites

6 answers to this question

Recommended Posts

  • 1

Guys Re: Call recording - If you don't already know (has been over 2 years since last post in this thread!) Credit Line Plus can now be integrated with Callstream which allows the customer to key in details through phone (led by advisor who cannot hear tones).

 

Hope this helps.

Edited by Karl

Share this post


Link to post
Share on other sites
  • 0

Hi Mark

 

How are you getting on with this? Have you made any major system changes to date on the back of it?

 

Regards

 

Karl

Share this post


Link to post
Share on other sites
  • 0

Hi Mark.

 

We were compliant until we started using creditline and then plus. Now with the latest SAQ (we are D) we are no where near. Basically our move to allow users to take payment and settle results in our having to complete the full 270+ questionaire.

 

Other issues like voice recording could be dealt with but the fact that almost all users can take and fill in the credit card details mean that we are caught.

 

Have so far had quotes from NCC group and have another NSA registered company ue next week. Prices start at £5000 for the workshop.

 

We have had to register with Lloyds who have just stated chasing us to see what we will do.

 

Any other experiences or comment would be interesting

 

Mike Anderson,  Clear Insurance

Share this post


Link to post
Share on other sites
  • 0

Hi Mike

 

Good to hear there is someone else out there taking PCIDSS seriously!

 

It's a big subject and we are also SAQ D level 3 and working on all areas to make sure we are compliant

 

CreditLinePlus takes the CHD (Card Holder Data) environment out of scope - so I'm not sure why this has increased your PCI response - but maybe that was the case anyway?

 

At upto £1,000 per day, engaging with a Qualified Security Assessor is not cheap - but can be cost effective. For the price yo are looking to pay I would expect a full Gap Analysis AND the completion of the SAQ D by the QSA as well.

 

Would be good to get any further thoughts and if you have any questions I can assist with, please post back as this will be useful for all

 

Thanks

Share this post


Link to post
Share on other sites
  • 0

Thanks Mark.

Re Creditline plus, we have been told by bothe Security Metrics (who do the job for Barclays) and the Lloyds pci support, that the presence of browser based input as used by creditlineplus bring every users's environment into scope since the ablity of keyloggers etc to infect a pc on the LAN means that the whole LAN comes into scope. The fact that the 'Virtual Terminal' used by the credit checking software does not store the data locally is not material. It is 'stored' on screen and in cache.

 

Same problem currently exists with the Voice recording. We can move forward by using white noise or getting users to hit the stop record button whilst taking credit card detaisl, but we would have to delete all existing recordings.

 

Anyone else had this advice?

Share this post


Link to post
Share on other sites
  • 0

Understand. So the fact that you are using CLPlus is not the issue I guess. Old Credit Line stored the data in the server as well - so you so have a better solution.

 

The whole LAN is indeed in scope in their scenario. That just means you need to apply controls and checks within the organisation in relation to those risks.

 

Would be interested to hear what their recommendations are to address those risks.

 

Re the call recording, there are a few options. We have engaged with our telephony provider to supply a call pause and resume based on the browser window being active. This is better than a manual process but both are acceptable although automated is clearly a better option.

 

Any other thoughts welcome.

Share this post


Link to post
Share on other sites

  • Posts

    • Nice one Karl - Just how a good solution should be built!!   Shame GETREPLY and INPUT screens are not part of core calcs though 😩   Thanks for sharing
    • I tried to make my frame as 'user-friendly' as possible so made all the consent given/retracted dates auto populate based on when questions answered/changed.
    • Coffee-MP4.mp4
    • If this email does not appear to be displayed as intended, click here to view it online.   May 2018 Welcome to Issue No.37 In this issue the Chairman brings you up to date with what has been happening on the GDPR Issue, we draw your attention to the current deadline for the implementation of IPIDs and provide a summary of the Minutes of our Committee Meeting held in January.  In addition, we bring you news of Exclusive Membership Benefits and highlight the problems that can be encountered when relying on next day delivery of consumable items. It is worth taking the time to click through and read these articles; you never know what nuggets of information await! Important Open GI update to Integrated Products and Core. The latest update of IP5.81.0 and Core 15.81A will be bringing the ability to Purge linked Open Attach records as part of your Core Purge.  This is going to be a huge time saving update, so keep a look out for it in the near future in your system messages! As always we would love to hear from you with your experiences and suggested improvements for the Open GI system. Barbara Pena - Administrator If you haven't already done so, why not try logging onto our Forum. To gain access to the Forum you simply need to register on the site and a confirmation email will be sent out. To register, go to the following link:- http://opengiusergroupforum.invisionzone.com    GDPR Issue

      Click here to Find out more Committee Meeting Highlights
      The Open GI User Group Committee met on 29th January 2018 for one of their quarterly meetings to discuss topics raised by Open GI users.  The Committee then met with Open GI at their Worcester offices on 1st February 2018 to exchange feedback and raise user issues and queries.  A summary of the minutes has been produced for your information. 

      Click here to Find out more   IPIDs are Coming!


      Click here to Find out more   Membership Benefits for 2018
      Exclusive Discounts off selected Open GI Software have been negotiated for 2018.

      Find out more   Next Day Delivery - May not always work!!
      Do you rely on next day delivery for your consumable items?  Have you experienced problems?       

      Click here to Find out more   Open User Group Open User Group The views and opinions expressed in this email may not represent the views
      and opinions of the Open GI User Group and are made without prejudice and
      subject to contract. Although this message and any attachments are believed
      to be free of any virus or other defect that might affect any computer
      system into which it is received and opened, it is the responsibility of the
      recipient to ensure that it is virus free and no responsibility is accepted
      by the Open GI User Group for any loss or damage in any way arising from its
      use.

      The information contained in this message is correct at the time of going to
      press. Any action taken as a result of the information should be checked
      with the sender before taking action.   If you would like to be removed from this mailing list please click unsubscribe    
    • What a difference an "F" makes. The report is coming out now - thank you so much for your help. Well worth being a member of Open GI User Group!!! Carol
×