PCI Compliance Technical Overview 2008

PCI ComplianceTechnical Overview

2008

RM PCI Calendar

Sept 2006: Official 15.1 PCI Release

Sept 2006: 15.1 certified PCI Compliant

Jan 2007: VISA approves certification

May 2007: Official 16.0 PCI Release

Dec 2007: 16.0 certified PCI Compliant

Awaiting VISA certification approval

Terms and Definitions PCI DSS: Payment Card Industry Data

Security Standard PABP: Payment Application Best

Practices RM is a validated payment application

that meets the PCI PABP So what is “PCI Compliance”? Hint: It’s

not simply installing RM 15.1.

The PCI Compliant SiteTo be a fully PCI compliant site, there are 4 areas needing

attention: Use PABP validated applications

Install RM 15.1 or later Proper configuration

RM and Reseller PCI Guidance Doc Proper procedures

Server machine access Remote access

Site guidelines Physical machine access Network / Wireless

Basic NetworkInternet

Network w/ WiFiInternet

Network w/ WiFiInternet

SymbolWS2000

Network w/ web svcsInternet

SymbolWS2000

DMZfor

Online OrderingRmbrowser

Write-On PhoneCentral Manager

What’s a DMZ? DMZ: “De-Militarized Zone” Separate network isolated from RM

network DMZ exposed to internet RM network isolated from internet All enforced through firewall

configuration rules

Network with DMZInternet

DMZ10.1.1.*

RM10.1.0.*

10.1.1.1

10.1.0.1

10.1.1.254

10.1.0.254

Setting up DMZ Server RM and Reseller PCI Guidance:

Install NetworkActiv AUTAPF port forwarder as a service

Configure single port forwarding rule Configure OO/RMbrowser/WO Phone

setup to go to DMZ machine and port

Firewall RulesInternet

DMZ10.1.1.*

RM10.1.0.*

Limited to proxy

Setting up the Firewall Symbol WS2000 configuration

Two subnets 1 for RM 1 for DMZ

Firewall Rules Now we’ll show you how…

Questions?