Jump to content
Why are we here ..... Read more... ×
  • 0
Mark Sollis

The Long Hard Road

Question

Well

 

We have officially started our PCI journey and thought I'd open up the Forum posts with a general Topic on PCI DSS Compliance - a hot topic at the Open GI User Group Members day.

 

Every business that stores, processes or transmits Credit Card data is subject to scrutiny and potentially a big fine for any compliance breach proven. It's a big subject but easily tackled with some forethought and understanding of what is required and what priority should be applied in what areas

 

So, as well as sharing some personal experiences here, I'm happy to invite comment, thought and opinion from PCI novices and experts alike - for the benefit of Forum users

 

As a starter for 10 - here is a link to the PCI Security Standards Council Site with lots of info to get you started along with a useful Quick Reference Guide which explains all about PCI DSS in 32 (yes 32!) pages - Happy reading!

 

If you have any questions, come back and ask away or if you have stories of your own then why not share them here as well

 

Look out for more updates from me over the next few months as I ease our way through the PCI DSS manual - with a little help from some friends :)

Share this post


Link to post
Share on other sites

6 answers to this question

Recommended Posts

  • 1

Guys Re: Call recording - If you don't already know (has been over 2 years since last post in this thread!) Credit Line Plus can now be integrated with Callstream which allows the customer to key in details through phone (led by advisor who cannot hear tones).

 

Hope this helps.

Edited by Karl

Share this post


Link to post
Share on other sites
  • 0

Hi Mark

 

How are you getting on with this? Have you made any major system changes to date on the back of it?

 

Regards

 

Karl

Share this post


Link to post
Share on other sites
  • 0

Hi Mark.

 

We were compliant until we started using creditline and then plus. Now with the latest SAQ (we are D) we are no where near. Basically our move to allow users to take payment and settle results in our having to complete the full 270+ questionaire.

 

Other issues like voice recording could be dealt with but the fact that almost all users can take and fill in the credit card details mean that we are caught.

 

Have so far had quotes from NCC group and have another NSA registered company ue next week. Prices start at £5000 for the workshop.

 

We have had to register with Lloyds who have just stated chasing us to see what we will do.

 

Any other experiences or comment would be interesting

 

Mike Anderson,  Clear Insurance

Share this post


Link to post
Share on other sites
  • 0

Hi Mike

 

Good to hear there is someone else out there taking PCIDSS seriously!

 

It's a big subject and we are also SAQ D level 3 and working on all areas to make sure we are compliant

 

CreditLinePlus takes the CHD (Card Holder Data) environment out of scope - so I'm not sure why this has increased your PCI response - but maybe that was the case anyway?

 

At upto £1,000 per day, engaging with a Qualified Security Assessor is not cheap - but can be cost effective. For the price yo are looking to pay I would expect a full Gap Analysis AND the completion of the SAQ D by the QSA as well.

 

Would be good to get any further thoughts and if you have any questions I can assist with, please post back as this will be useful for all

 

Thanks

Share this post


Link to post
Share on other sites
  • 0

Thanks Mark.

Re Creditline plus, we have been told by bothe Security Metrics (who do the job for Barclays) and the Lloyds pci support, that the presence of browser based input as used by creditlineplus bring every users's environment into scope since the ablity of keyloggers etc to infect a pc on the LAN means that the whole LAN comes into scope. The fact that the 'Virtual Terminal' used by the credit checking software does not store the data locally is not material. It is 'stored' on screen and in cache.

 

Same problem currently exists with the Voice recording. We can move forward by using white noise or getting users to hit the stop record button whilst taking credit card detaisl, but we would have to delete all existing recordings.

 

Anyone else had this advice?

Share this post


Link to post
Share on other sites
  • 0

Understand. So the fact that you are using CLPlus is not the issue I guess. Old Credit Line stored the data in the server as well - so you so have a better solution.

 

The whole LAN is indeed in scope in their scenario. That just means you need to apply controls and checks within the organisation in relation to those risks.

 

Would be interested to hear what their recommendations are to address those risks.

 

Re the call recording, there are a few options. We have engaged with our telephony provider to supply a call pause and resume based on the browser window being active. This is better than a manual process but both are acceptable although automated is clearly a better option.

 

Any other thoughts welcome.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×