Sun, Dec 30 2007 22:30
PCI/DSS compliance in the SMB world
In my opinion a SBS box can't store, process or transmit credit cards under the PCI/DSS regulations. Even Centro/Essential Business server is probably pushing the envelope of an acceptable setup.
If you want to "pass the test" without having to document your compensating controls, it is my opinion that any server setup in a small firm would not pass muster of 2.2.1
2.2.1 Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers)
So how do you handle storing, processing or transmitting credit cards if you are a SMB shop and think that having umpteen servers per role doesn't gain any security?
Here are some ideas of the ways around the issue:
Storing credit cards -- I'd argue that first you don't store credit cards period. Time Magazine's headline is that there are record data breeches and many if not most of them are when "data is at rest". http://www.time.com/time/world/article/0,8599,1699049,00.html It's from a stolen laptop, or a lost backup tape. Bottom line don't store credit cards on the server.
Processing credit cards -- if you think about many places you can use alternative ways to process them. In our office we have a merchant machine that runs through it's own network and is not connected to ours.
Transmitting credit cards -- the same rules apply. The merchant machine separates out the handling.
So what do you think? Read the PCI/DSS standards. https://www.pcisecuritystandards.org/tech/pci_dss.htm
I still argue that you don't store, process or transmit over your SMB server connection. Make the issue moot.
Filed under: Security