Opened 12 days ago

Last modified 7 days ago

#14387 assigned Question/How do I...?

PCI DSS Compliance

Reported by: https://id.mayfirst.org/nlg-membership Owned by: https://id.mayfirst.org/jaimev
Priority: Medium Component: Tech
Keywords: PCI DSS Cc: https://id.mayfirst.org/jamie
Sensitive: no

Description

We have to do a PCI DSS scan and questionnaire for our credit card system. Can you let me know if we use "Load Balancers as a part of our in-scope PCI Infrastructure" and how we can grant Sysnet access to the other IP addresses in order to complete a scan? There is also a questionnaire with about 250 questions about firewalls and system configuration and cryptographic keys etc which is beyond my technical knowledge. Please let me know how I can get assistance this. Thank you.

Change History (3)

comment:1 in reply to: ↑ description Changed 12 days ago by https://id.mayfirst.org/jaimev

  • Cc https://id.mayfirst.org/jamie added
  • Keywords PCI DSS added
  • Owner set to https://id.mayfirst.org/jaimev
  • Status changed from new to assigned

Replying to https://id.mayfirst.org/nlg-membership:

We have to do a PCI DSS scan and questionnaire for our credit card system. Can you let me know if we use "Load Balancers as a part of our in-scope PCI Infrastructure" and how we can grant Sysnet access to the other IP addresses in order to complete a scan? There is also a questionnaire with about 250 questions about firewalls and system configuration and cryptographic keys etc which is beyond my technical knowledge. Please let me know how I can get assistance this. Thank you.

You can pass the questionaire on to us but we may not be able to answer all of those questions. This has come up before, and generally the requirements are onerous and do not take into account how security is handled differently by different linux distributions. Other members have been able pass the scan but had to make some arguments to the scanning company.

https://support.mayfirst.org/search?q=PCI+DSS+

comment:2 Changed 12 days ago by https://id.mayfirst.org/cldc

I'm not sure what payment processor you are using but we, at Monthly Review, decided to ditch the processor that seemed to require compliance because the whole process seemed like a scam. You pay the compliance authority directly, and they will not stop contacting you even if you discontinue the service with the given processor. In our case it was Global Payments. We were using them to process credit cards details online. However, PayPal has the same feature (called a Virtual Terminal, but you may need a pro account); and you can even use Stripe as a virtual terminal simply by creating a customer and then adding a payment method.

The long and short of it is: change your processor to Stripe (best because you can easily set up recurring payments as well, at no extra cost) or PayPal as I'm pretty sure it is a scam. Even if you do not want to change, note that your processor may not even require you to go through a compliance check. You should ask them directly.

comment:3 Changed 7 days ago by https://id.mayfirst.org/jamie

For the record: load balancers are not being used by nlg.org.

And also I agree with cldc - these PCI audits are a frustrating scam. If switching to stripe is a possibility for your payment processing I would encourage you to go that route as well.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.