Jump to content
Why are we here ..... ×
  • 0

The Long Hard Road


Mark Sollis

Question

Well

 

We have officially started our PCI journey and thought I'd open up the Forum posts with a general Topic on PCI DSS Compliance - a hot topic at the Open GI User Group Members day.

 

Every business that stores, processes or transmits Credit Card data is subject to scrutiny and potentially a big fine for any compliance breach proven. It's a big subject but easily tackled with some forethought and understanding of what is required and what priority should be applied in what areas

 

So, as well as sharing some personal experiences here, I'm happy to invite comment, thought and opinion from PCI novices and experts alike - for the benefit of Forum users

 

As a starter for 10 - here is a link to the PCI Security Standards Council Site with lots of info to get you started along with a useful Quick Reference Guide which explains all about PCI DSS in 32 (yes 32!) pages - Happy reading!

 

If you have any questions, come back and ask away or if you have stories of your own then why not share them here as well

 

Look out for more updates from me over the next few months as I ease our way through the PCI DSS manual - with a little help from some friends :)

Link to comment

6 answers to this question

Recommended Posts

  • 1

Guys Re: Call recording - If you don't already know (has been over 2 years since last post in this thread!) Credit Line Plus can now be integrated with Callstream which allows the customer to key in details through phone (led by advisor who cannot hear tones).

 

Hope this helps.

Edited by Karl
Link to comment
  • 0

Hi Mark.

 

We were compliant until we started using creditline and then plus. Now with the latest SAQ (we are D) we are no where near. Basically our move to allow users to take payment and settle results in our having to complete the full 270+ questionaire.

 

Other issues like voice recording could be dealt with but the fact that almost all users can take and fill in the credit card details mean that we are caught.

 

Have so far had quotes from NCC group and have another NSA registered company ue next week. Prices start at £5000 for the workshop.

 

We have had to register with Lloyds who have just stated chasing us to see what we will do.

 

Any other experiences or comment would be interesting

 

Mike Anderson,  Clear Insurance

Link to comment
  • 0

Hi Mike

 

Good to hear there is someone else out there taking PCIDSS seriously!

 

It's a big subject and we are also SAQ D level 3 and working on all areas to make sure we are compliant

 

CreditLinePlus takes the CHD (Card Holder Data) environment out of scope - so I'm not sure why this has increased your PCI response - but maybe that was the case anyway?

 

At upto £1,000 per day, engaging with a Qualified Security Assessor is not cheap - but can be cost effective. For the price yo are looking to pay I would expect a full Gap Analysis AND the completion of the SAQ D by the QSA as well.

 

Would be good to get any further thoughts and if you have any questions I can assist with, please post back as this will be useful for all

 

Thanks

Link to comment
  • 0

Thanks Mark.

Re Creditline plus, we have been told by bothe Security Metrics (who do the job for Barclays) and the Lloyds pci support, that the presence of browser based input as used by creditlineplus bring every users's environment into scope since the ablity of keyloggers etc to infect a pc on the LAN means that the whole LAN comes into scope. The fact that the 'Virtual Terminal' used by the credit checking software does not store the data locally is not material. It is 'stored' on screen and in cache.

 

Same problem currently exists with the Voice recording. We can move forward by using white noise or getting users to hit the stop record button whilst taking credit card detaisl, but we would have to delete all existing recordings.

 

Anyone else had this advice?

Link to comment
  • 0

Understand. So the fact that you are using CLPlus is not the issue I guess. Old Credit Line stored the data in the server as well - so you so have a better solution.

 

The whole LAN is indeed in scope in their scenario. That just means you need to apply controls and checks within the organisation in relation to those risks.

 

Would be interested to hear what their recommendations are to address those risks.

 

Re the call recording, there are a few options. We have engaged with our telephony provider to supply a call pause and resume based on the browser window being active. This is better than a manual process but both are acceptable although automated is clearly a better option.

 

Any other thoughts welcome.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Posts

    • Hi Claire,   We took on INVU back in 2008 and still use it today in its Virtual Cabinet guise. No issues with printing from VC whether that be to network printers or pdf and there are also options to send from VC to email which can be useful.    Overall, we remain very happy with VC so have seen no real advantage to move over to OpenAttach.   One little issue is we never managed to get the automatic indexing / filing of standard OGI/OpenWord letters and emails into VC. We just click a few buttons to file them manually.   Happy to chat through further if you wish - I will be at the Members day this coming Thursday    Darren
    • Hi @Clare Carter   I probably cant advise on day to day use / issues, but may be able to help although not sure of your question   Are you still on Virtual Cabinet (VC) and how are you trying to print on OGI - and what / where from   Also - I'm pretty sure there are minimal issues with transferring to OpenAttach - what are the concerns there?  
    • Just wondering if any of the current members have previously been using Virtual Cabinet, and which originally was Invu provided by Linden House.   It is only relatively recently that Open GI have come up with Open Attach but there is an issue in transferring data.   If anyone is still using Virtual Cabinet which evolved from Invu and Linden House, could they let me know whether they had any issues with Open GI and printing.    Thanks
    • Hi Andrew   I do have a copy - but you can get them / best to get latest copy from the support site - presumably you have a registered account??   Just go to the link here RMAR Reports and Spreadsheet   Any problems come back and let me know!
    • Hi   I am new to OGi and not sure how the system deals with the FCA required Client Money Calculation. A previous post mentioned a OGI PDF document detailing the reports to get the numbers and apparently there is a spreadsheet to input all the numbers as well.   Is anyone able to forward the PDF and spreadsheet or provide assistance please.   Thanks
×
×
  • Create New...