Actually A and C are the same company. Unless by "shared files" you mean
the MS Office type documents which are on the Y's local server. Or,
unless you mean C is the company that gives the merchant account. A/C
has their own web site that the Y users do all their business work through.
And yes A/C is the one that is saying "not us" but they are the biggest
target of attackers as they store the credit card information and
transmit them to the credit card network upon instructions from the Y.
On 12/16/2009 9:05 PM, Tom Jedrzejewicz arranged the binary bits such that:
My understanding is that the Y has a third party ("A") hosting their shared
files, another ("B") hosting their web site, and another ("C") which
actually processes the credit card transactions. I presume that the
file-sharing host (A) is the one pushing back.
1- The PCI audit is primarily about how credit card and cardholder
information is secured. Any of the third parties where card holder data is
stored must be included in the audit. C clearly must be included. B most
likely is not included. A must be included if individual transaction or
card information ends up stored there.
2- That any of the third parties is pushing back against this should raise
the hairs on the back of your neck. They should be able to provide the info
necessary for the audit, although I can see them wanting clear
non-disclosures executed for all concerned.
3- I can see them not wanting to have their networks probed and scanned.
Unless it is called for in an agreement, the Y likely can't require them to
consent. The Y should be able to push back about risky, intrusive and
possibly destructive testing. DO NOT APPROVE scans of the third parties
without permission of the third party.
4- The Y should request a "SAS 70" report from each of the third parties (A,
B, C and ADP). This is a standardized audit report. It is not related to
PCI, but it is standard for demonstrating Sarb-Ox compliance and may well
have sufficient info to satisfy the PCI auditors.
On Wed, Dec 16, 2009 at 5:31 PM, Roger Vicker, CCP <rv-tech@xxxxxxxxxx>wrote:
A local Y is having a hard time filling out a PCI survey.
Virtually everything except for local document editing (MS Office...) is
externally web hosted by a 3rd party. Their plain Jane web site is
hosted by another commercial hosting company. And ADP is their
payroll/time card web site. Even before they switched to web based I put
them behind a business class firewall. :-)
The survey is asking for their IP/Subnet, load balancer configuration
and approval to have their domain, IP and network blocks scanned. I can
see having their IP scanned since they connect FROM it to the 3rd party
site to enter credit cards into the database and initiate transaction
that are handled by the 3rd party's servers. The domain (external web
hosting using Drupal) only has links to the 3rd party's site for
customers to perform selected functions.
I contend that the 3rd party's Domain, load balancers and IP/Subnet
should be included as that is where the credit card information is
stored and all transactions originate from. However, the 3rd party
contends they have nothing to do with the PCI survey and the Y is the
only thing covered by the survey.
They should pass this step. If nothing else I would like to see the 3rd
party receive the same PCI scrutiny to protect the Y.
Is this normal or is there some form missing to let the Credit Card
auditors know that they need to be looking wider then just the local Y?
Don't 3rd party handlers of credit card information directly full under
PCI instead under their customers without any direct control?
Roger Vicker, CCP
*** Vicker Programming and Service *** Have bits will byte ***
A learned fool is more foolish than an ignorant fool.
This is the PC Technical Discussion for iSeries Users (PcTech) mailing list
To post a message email: PcTech@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
or email: PcTech-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives