Go Back   SitePoint Forums > Forum Index > Manage Your Site > eCommerce
Newsletter FAQ Members List Calendar Mark Forums Read

New to SitePoint Forums? Register here for free!

SitePoint Sponsor
 
Reply
 
Thread Tools Display Modes
Old Jul 2, 2009, 05:23   #1
topmonkey
SitePoint Addict
 
Join Date: Apr 2007
Posts: 204
Client PCI Compliance

Hi,

I have been asked by a client to help them with becoming PCI compliant. We have everything sorted except one thing - wireless analysis. To become PCI compliant you need to use a 'wireless analyzer' to scan for vulnerabilities every quarter. The only trouble is, I haven't a clue what one of these things looks like, let alone where to get one or how to deploy one (and I have been Googling for hours)!

If anyone who has any experience of dealing with PCI Compliance can explain what my client and I need to do for this I would be very grateful.

Thanks,
TM
topmonkey is offline   Reply With Quote
Old Jul 2, 2009, 23:45   #2
webdesignandmore
SitePoint Member
 
Join Date: Jul 2009
Posts: 6
Are there any consultants that you can hire to do this for you? This sounds like it might be cheaper.

Also, this only applies if your client uses wireless LAN for transmitting cc info. I would take a look at regulations just to make sure you really need it.
webdesignandmore is offline   Reply With Quote
Old Jul 3, 2009, 00:24   #3
CS-Cart
SitePoint Zealot
 
Join Date: Jun 2009
Posts: 114
Approved list of scanning vendors can be found here:

https://www.pcisecuritystandards.org...sv_report.html

Personally, I'd check HackerGuardian as an option, this is a very reputable company.
CS-Cart is offline   Reply With Quote
Old Jul 3, 2009, 04:51   #4
topmonkey
SitePoint Addict
 
Join Date: Apr 2007
Posts: 204
My client is already with one of these approved scanning vendors - Security Metrics. All they do is perform an external scan - whereas we need an internal (on site) scan to comply with 11.1 which says that you must carry out a minimum quarterly wireless scan of all locations or the deployment of a wireless IDS/IPS.

We asked Security Metrics for help on how to comply with this and this was their response:
Quote:
We appreciate your question as to how to comply to 11.1.

As it specifies, you need a system in place to "identify all wireless
devices in use". You can do this with the use of a wireless analyzer,
wireless Intrusion Detection System (IDS), or Intrusion Prevention
System (IPS). If you already have one of those programs and it is
successfully identifying all of the wireless devices in use, then you
can mark that you can comply to this question by recording a 'yes'
answer. If you do not currently have any of the above mentioned
programs, you will need to research a product that would be best for you
and your business and deploy it on all necessary networks. We cannot
make references as to what products would be best for you for liability
reasons, however, your local computer specialists or internet search
engines can be valuable tools.
topmonkey is offline   Reply With Quote
Old Jul 3, 2009, 05:03   #5
CS-Cart
SitePoint Zealot
 
Join Date: Jun 2009
Posts: 114
I see, sorry for possible misunderstanding. Did you check with your hosting company regarding this question? They may have such a system if they host ecommerce sites.
CS-Cart is offline   Reply With Quote
Old Jul 3, 2009, 05:26   #6
topmonkey
SitePoint Addict
 
Join Date: Apr 2007
Posts: 204
Quote:
Originally Posted by CS-Cart View Post
I see, sorry for possible misunderstanding. Did you check with your hosting company regarding this question? They may have such a system if they host ecommerce sites.
No worries. I'm gradually picking up bits of this PCI Compliance as I go along. I guess it might be worth asking - the support people at my hosting company are usually quite helpful and knowledgeable. Thanks.
topmonkey is offline   Reply With Quote
Old Jul 3, 2009, 05:29   #7
CS-Cart
SitePoint Zealot
 
Join Date: Jun 2009
Posts: 114
Quote:
Originally Posted by topmonkey View Post
No worries. I'm gradually picking up bits of this PCI Compliance as I go along. I guess it might be worth asking - the support people at my hosting company are usually quite helpful and knowledgeable. Thanks.
It's good to hear this. Please, share your results with us, it would be interesting to know.
CS-Cart is offline   Reply With Quote
Old Jul 3, 2009, 05:38   #8
topmonkey
SitePoint Addict
 
Join Date: Apr 2007
Posts: 204
Quote:
Originally Posted by CS-Cart View Post
It's good to hear this. Please, share your results with us, it would be interesting to know.
Will do.
topmonkey is offline   Reply With Quote
Old Jul 3, 2009, 07:38   #9
topmonkey
SitePoint Addict
 
Join Date: Apr 2007
Posts: 204
Quote from my host:
Quote:
A wireless IDS/IPS is usually built into your wireless router and will also
form part of most security programs available for networks and personal
computers. If you have such a program along the lines of Norton Internet
Security or similar then you will be covered.
topmonkey is offline   Reply With Quote
Old Jul 6, 2009, 01:16   #10
CS-Cart
SitePoint Zealot
 
Join Date: Jun 2009
Posts: 114
Am I correct to assume that you use a dedicated server? If so, I'd suggest passing this question further to your server administrator.
CS-Cart is offline   Reply With Quote
Old Jul 6, 2009, 10:08   #11
topmonkey
SitePoint Addict
 
Join Date: Apr 2007
Posts: 204
That's irrelevant - the wireless access point is located at the client's home based office. I have now installed Norton for the client so we should be compliant now if my host is right.
topmonkey is offline   Reply With Quote
Reply

Bookmarks

Tags
pci

« Previous Thread | Next Thread »

Thread Tools
Display Modes

 
Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Sponsored Links
 
Forum Jump


All times are GMT -7. The time now is 15:59.


Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Copyright 1998-2009, SitePoint Pty Ltd. All Rights Reserved