Jump to content
  • 0

The Long Hard Road

Mark Sollis




We have officially started our PCI journey and thought I'd open up the Forum posts with a general Topic on PCI DSS Compliance - a hot topic at the Open GI User Group Members day.


Every business that stores, processes or transmits Credit Card data is subject to scrutiny and potentially a big fine for any compliance breach proven. It's a big subject but easily tackled with some forethought and understanding of what is required and what priority should be applied in what areas


So, as well as sharing some personal experiences here, I'm happy to invite comment, thought and opinion from PCI novices and experts alike - for the benefit of Forum users


As a starter for 10 - here is a link to the PCI Security Standards Council Site with lots of info to get you started along with a useful Quick Reference Guide which explains all about PCI DSS in 32 (yes 32!) pages - Happy reading!


If you have any questions, come back and ask away or if you have stories of your own then why not share them here as well


Look out for more updates from me over the next few months as I ease our way through the PCI DSS manual - with a little help from some friends :)

Link to comment

6 answers to this question

Recommended Posts

  • 1

Guys Re: Call recording - If you don't already know (has been over 2 years since last post in this thread!) Credit Line Plus can now be integrated with Callstream which allows the customer to key in details through phone (led by advisor who cannot hear tones).


Hope this helps.

Edited by Karl
Link to comment
  • 0

Hi Mark.


We were compliant until we started using creditline and then plus. Now with the latest SAQ (we are D) we are no where near. Basically our move to allow users to take payment and settle results in our having to complete the full 270+ questionaire.


Other issues like voice recording could be dealt with but the fact that almost all users can take and fill in the credit card details mean that we are caught.


Have so far had quotes from NCC group and have another NSA registered company ue next week. Prices start at £5000 for the workshop.


We have had to register with Lloyds who have just stated chasing us to see what we will do.


Any other experiences or comment would be interesting


Mike Anderson,  Clear Insurance

Link to comment
  • 0

Hi Mike


Good to hear there is someone else out there taking PCIDSS seriously!


It's a big subject and we are also SAQ D level 3 and working on all areas to make sure we are compliant


CreditLinePlus takes the CHD (Card Holder Data) environment out of scope - so I'm not sure why this has increased your PCI response - but maybe that was the case anyway?


At upto £1,000 per day, engaging with a Qualified Security Assessor is not cheap - but can be cost effective. For the price yo are looking to pay I would expect a full Gap Analysis AND the completion of the SAQ D by the QSA as well.


Would be good to get any further thoughts and if you have any questions I can assist with, please post back as this will be useful for all



Link to comment
  • 0

Thanks Mark.

Re Creditline plus, we have been told by bothe Security Metrics (who do the job for Barclays) and the Lloyds pci support, that the presence of browser based input as used by creditlineplus bring every users's environment into scope since the ablity of keyloggers etc to infect a pc on the LAN means that the whole LAN comes into scope. The fact that the 'Virtual Terminal' used by the credit checking software does not store the data locally is not material. It is 'stored' on screen and in cache.


Same problem currently exists with the Voice recording. We can move forward by using white noise or getting users to hit the stop record button whilst taking credit card detaisl, but we would have to delete all existing recordings.


Anyone else had this advice?

Link to comment
  • 0

Understand. So the fact that you are using CLPlus is not the issue I guess. Old Credit Line stored the data in the server as well - so you so have a better solution.


The whole LAN is indeed in scope in their scenario. That just means you need to apply controls and checks within the organisation in relation to those risks.


Would be interested to hear what their recommendations are to address those risks.


Re the call recording, there are a few options. We have engaged with our telephony provider to supply a call pause and resume based on the browser window being active. This is better than a manual process but both are acceptable although automated is clearly a better option.


Any other thoughts welcome.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Posts

    • Hi Val - I've not heard this being an issue generally - very strange. OGI will be best to investigate. Would be good to know the outcome!!   Just a thought - is it only the extract / csv with the issue - or does the full printed report still not report these?  
    • Has anyone else come across this problem, we are getting quite a few cases where the renewal is not populating on the list.  OGI have been looking at this from the copy CSV lists we have sent them, but have not resolved this issue yet. 
    • Open GI Sanction Check Update!   Function shortfall now on the #OpenGI radar - watch this space! 
    • Partnership deals that are in the interests of Open-GI's profits and not the best infrastructure for their clients. HP - (30% returns from printers to servers when I worked for a HP partner. Haven't been pleasantly surprised with 6 more years of dealing with their hardware). Microsoft - Oh ook another 60 security holes and a zero-day (M$ product zero-days can only be fixed or mitigated by Microsoft) that has been actively exploited for over two months now. Sophos - Tavis Ormandy of Google's top security team, charitably wrote a 30 page paper, which concludes that the company was "working with good intentions" but is "ill-equipped to handle the output of one co-operative security researcher working in his spare time". Recently, they forced through Multi-Factor Authentication for their "cloud" management site (which has a really useless, coutnerintuitve and uninformative interface), that is completely useless in a ransomware take over, you could easily be left without access to your "cloud". They should implement physical keys if they are going to push for this, not software methods that can be taken over as part of an attack. 
    • The real question for Open GI is why is only 1 browser supported?   Why do you think that is?   10 points for each correct answer …
  • Create New...