PCI/DSS compliance in the SMB world

On December 31, 2007, in Security, by

http://msmvps.com/blogs/bradley/archive/2007/12/27/one-function-one-server-is-it-realistic-today.aspx


In my opinion a SBS box can’t store, process or transmit credit cards under the PCI/DSS regulations.  Even Centro/Essential Business server is probably pushing the envelope of an acceptable setup. 


If you want to “pass the test” without having to document your compensating controls, it is my opinion that any server setup in a small firm would not pass muster of 2.2.1


2.2.1 Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers)


So how do you handle storing, processing or transmitting credit cards if you are a SMB shop and think that having umpteen servers per role doesn’t gain any security?


Here are some ideas of the ways around the issue: 


Storing credit cards — I’d argue that first you don’t store credit cards period.  Time Magazine’s headline is that there are record data breeches and many if not most of them are when “data is at rest”.  http://www.time.com/time/world/article/0,8599,1699049,00.html  It’s from a stolen laptop, or a lost backup tape.  Bottom line don’t store credit cards on the server.


Processing credit cards — if you think about many places you can use alternative ways to process them.  In our office we have a merchant machine that runs through it’s own network and is not connected to ours.


Transmitting credit cards — the same rules apply.  The merchant machine separates out the handling.


So what do you think?  Read the PCI/DSS standards.  https://www.pcisecuritystandards.org/tech/pci_dss.htm


I still argue that you don’t store, process or transmit over your SMB server connection.  Make the issue moot.

 

One Response to PCI/DSS compliance in the SMB world

  1. You are correct in your assumption that you remove the need for compliance for your SBS-server. But you still have the merchants server in your building. Requirement 9 regarding physical security still applies as is requirment 12 if some of the personel is in one way or another handling the backuptapes and so forth. I would argue that a better way would be to if possible let the customer when they begin a purchase are sent to a site where they pay and then a reciept is sent back to your site. If your solution refers to an onsite purchase then requirement 9 and 12 has to be fulfilled.