PCI compliance problem

Web hosting discussion, programming, and shared and dedicated servers.
4 posts Page 1 of 1
by rivoli » Fri Dec 08, 2017 4:54 pm
PCI Compliance manager sends me a test every year I have to pass to remain compliant with credit card processing good practices. This year they have a new question asking if we "settle a batch" at the end of the night to process our nightly credit cards. Because I said yes, they say we're not compliant because numbers are therefore stored on our hard drive which is hackable.

I'm told by my processor this has to do with the number of ports available on my router. The note I have from PCI Compliance says to wit: " having remote access software present can lead to information disclosure or potential exploit. Due to increased risk to the cardholder data environment, please 1) justify the business need for this configuration to the ASV, or 2) confirm that it is disabled."

Other notes that are completely foreign language to me is:
PCI issue
Insecure Services/industry-deprecated protocols: 50001 / tcp / www
Insecure Services/ industry-deprecated protocols: 6319 / tcp / www

I'm going to lie and say that we don't settle a batch at the end of the night, but I'm interested if this a problem anywhere else, a new problem, or I'm just answering questions wrongly.
by drew.phillips » Fri Dec 08, 2017 5:39 pm
Without knowing the specifics of your credit card processing setup, I can't say for sure if the right answer to that question is yes or no, but most likely card data is not stored locally until the batch is settled. In most merchant POS setups, when you swipe or enter a card, it's encrypted and sent to your merchant processor who will keep that transaction data until it is time to submit and settle rather than stored on any computer or device at your location.

That said, I've had luck in the past justifying the presence of that service by stating something like the following:

Please grant an exception for the open service on TCP port 50001.

- This service supports TLSv1.2 and devices accessing this service explicitly use TLSv1.2.
- Access to this port is restricted to a certain IP address space.
- Access through this port requires authentication.
- Credentials allowing access through this port are changed frequently.

If you can confirm whether or not it's true, you can also say that you do not store any cardholder data and only transmit encrypted payment card data.

If the scan vendor can't issue you an exception based on the above statements, support can disable this port for you. It is used by Sonic for remote management and router troubleshooting. If the port is disabled and you need support, we may require that you factory reset your modem which would lose any custom settings. You may also be able to bridge your modem/router and install a business grade router to connect your network to as well.

In regards to port 6319, this is not normally open so you may want to check the router's settings for any port forwards and find out what that's for or if it can be disabled. I'm fairly certain this due to a port forward that is unrelated to your Sonic service.
Drew Phillips
Programmer / System Operations, Sonic.net
by rivoli » Fri Dec 15, 2017 5:56 pm
Thank you, I sent this on to PCI Compliance Manager, hopefully they will let me slide.
by drew.phillips » Mon Dec 18, 2017 10:21 am
If they do or don't I'd be interested in hearing back to know how they're treating that type of result these days. And if their answer is no we can look for an alternate solution so feel free to post back with the results when they come in.

Drew Phillips
Programmer / System Operations, Sonic.net
4 posts Page 1 of 1

Who is online

In total there are 5 users online :: 0 registered, 0 hidden and 5 guests (based on users active over the past 5 minutes)
Most users ever online was 964 on Tue Sep 29, 2020 11:23 pm

Users browsing this forum: No registered users and 5 guests