Do you need to hire a professional in order to be pci compliant?
i run an organic food store, and after a conference call with my credit card service (card connect), do i really have to hire a PCI certified professional once a year in order to be pci compliant? If this is the case, how much does it cost?
Or am I just misreading things, i don't think any "cyber criminal" is going to target my business. NCR Silver handles all my credit card transactions.
scam financial
asked Feb 16 at 2:08
thinksinbinarythinksinbinary
1205
|
show 2 more comments
i run an organic food store, and after a conference call with my credit card service (card connect), do i really have to hire a PCI certified professional once a year in order to be pci compliant? If this is the case, how much does it cost?
Or am I just misreading things, i don't think any "cyber criminal" is going to target my business. NCR Silver handles all my credit card transactions.
scam financial
asked Feb 16 at 2:08
thinksinbinarythinksinbinary
1205
ncrsilver.com/what-is-pci-compliance
– they
Feb 16 at 2:59
1
"i don't think any "cyber criminal" is going to target my business." Wow.
– Joseph Sible
Feb 16 at 3:46
5
To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.
– Ed Grimm
Feb 16 at 4:01
@they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.
– thinksinbinary
Feb 16 at 4:06
2
There are different levels of compliance depending on your volume. I'm not very up to date with PCI DSS but from memory levels 3 and 4 you can self-certify
– paj28
Feb 16 at 8:07
|
show 2 more comments
i run an organic food store, and after a conference call with my credit card service (card connect), do i really have to hire a PCI certified professional once a year in order to be pci compliant? If this is the case, how much does it cost?
Or am I just misreading things, i don't think any "cyber criminal" is going to target my business. NCR Silver handles all my credit card transactions.
scam financial
asked Feb 16 at 2:08
thinksinbinarythinksinbinary
1205
i run an organic food store, and after a conference call with my credit card service (card connect), do i really have to hire a PCI certified professional once a year in order to be pci compliant? If this is the case, how much does it cost?
Or am I just misreading things, i don't think any "cyber criminal" is going to target my business. NCR Silver handles all my credit card transactions.
scam financial
scam financial
asked Feb 16 at 2:08
thinksinbinarythinksinbinary
1205
asked Feb 16 at 2:08
thinksinbinarythinksinbinary
1205
asked Feb 16 at 2:08
thinksinbinarythinksinbinary
1205
asked Feb 16 at 2:08
thinksinbinarythinksinbinary
1205
asked Feb 16 at 2:08
thinksinbinarythinksinbinary
1205
1205
ncrsilver.com/what-is-pci-compliance
– they
Feb 16 at 2:59
1
"i don't think any "cyber criminal" is going to target my business." Wow.
– Joseph Sible
Feb 16 at 3:46
5
To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.
– Ed Grimm
Feb 16 at 4:01
@they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.
– thinksinbinary
Feb 16 at 4:06
2
There are different levels of compliance depending on your volume. I'm not very up to date with PCI DSS but from memory levels 3 and 4 you can self-certify
– paj28
Feb 16 at 8:07
|
show 2 more comments
ncrsilver.com/what-is-pci-compliance
– they
Feb 16 at 2:59
1
"i don't think any "cyber criminal" is going to target my business." Wow.
– Joseph Sible
Feb 16 at 3:46
5
To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.
– Ed Grimm
Feb 16 at 4:01
@they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.
– thinksinbinary
Feb 16 at 4:06
2
There are different levels of compliance depending on your volume. I'm not very up to date with PCI DSS but from memory levels 3 and 4 you can self-certify
– paj28
Feb 16 at 8:07
ncrsilver.com/what-is-pci-compliance
– they
Feb 16 at 2:59
ncrsilver.com/what-is-pci-compliance
– they
Feb 16 at 2:59
1
1
"i don't think any "cyber criminal" is going to target my business." Wow.
– Joseph Sible
Feb 16 at 3:46
"i don't think any "cyber criminal" is going to target my business." Wow.
– Joseph Sible
Feb 16 at 3:46
5
5
To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.
– Ed Grimm
Feb 16 at 4:01
To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.
– Ed Grimm
Feb 16 at 4:01
@they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.
– thinksinbinary
Feb 16 at 4:06
@they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.
– thinksinbinary
Feb 16 at 4:06
2
2
There are different levels of compliance depending on your volume. I'm not very up to date with PCI DSS but from memory levels 3 and 4 you can self-certify
– paj28
Feb 16 at 8:07
There are different levels of compliance depending on your volume. I'm not very up to date with PCI DSS but from memory levels 3 and 4 you can self-certify
– paj28
Feb 16 at 8:07
|
show 2 more comments
4 Answers
4
active
oldest
votes
If you handle credit card numbers, then yes, you have to be certified by a qualified auditor and this certification requires you hiring an external/independent PCI qualified security assessor.
However, you don't have to handle credit card numbers to be able to receive credit card payments. Instead, most smaller merchants use a PCI compliant payment processor like Stripe or PayPal to process card transactions. This reduces the scope of your PCI compliance signficantly, and you can be PCI compliant by just doing the PCI SAQ (Self Assessment Questionnaire), which you can do yourself without hiring a PCI auditor. Depending on your business type and how you handle card payments, there are different SAQs. The SAQ questionnaires will tell you if you need to actually use an auditor, which is primarily based on the volume of your expected transactions, mechanism you integrate with your payment processor, and how you handle card data.
Primarily, you want to outsource as much as possible of your payment processing to the payment processor to reduce your scope and avoid handling card numbers.
answered Feb 16 at 3:36
Lie RyanLie Ryan
23.5k35077
add a comment |
Do you need to be cautious about security?
If you are using POS(Point of Sale system) a simple reason could be;
This Machine is simply request the money transfer. The credit card data being transferred to complete the transaction are sensitive and the whole process needs to be PCI (payment )compliance. You might not have online business but it only means less concern. Anyone can be target of cyber criminals in small or large scale and just a matter of time.
Start with PCI SAQ (Self Assessment Questionnaire) and this should give an idea if you still need a professional to run through that.
How much does it cost?
Depends on variable that will affect the overall cost, the size and type of business. The larger the organization, the more potential compliance gaps therefore more costly.
answered Feb 16 at 6:17
VcodeVcode
581128
add a comment |
i run an organic food store, and after a conference call with my
credit card service (card connect), do i really have to hire a PCI
certified professional once a year in order to be pci compliant?
You probably do not need to hire a PCI certified professional, because unless you're a particularly large organic food store, you are likely small enough that the Self-Assessment Questionnaire will suffice. (The caveat being that your processor may compel you to have an audit instead of an SAQ, but that would usually only be the case for a small merchant who had a history of compliance problems).
If you've never gone through the process, then hiring an auditor at least once is a good idea. They can help you understand the issues so that handling the SAQ will be easier for you in future years. They can point out security issues that the SAQ might not make apparent to you.
If this is the case, how much does it cost?
That varies widely by the size and location of your business, and by the individual auditor you might engage, so it's impossible for us to say. The standard advice of "get multiple quotes" applies.
Or am I just misreading things, i don't think any "cyber criminal" is going to target my business.
If you handle cards, you are a target of opportunity. They may not know or care who you are, but they'll hit you nonetheless. It's not about your level of profit, it's about the fact that customers hand you cards, and each card represents thousands of potential dollars, and a useful smaller amount of real dollars to the attacker who sells it down the line. PCI DSS is not about employees, it's about infrastructure and practices to protect the cards that have to flit across your business on their way to the processor.
Sure, NCR does a lot to protect the cards - but a necessary step, imposed by the card brands, is to make sure that Merchants do their part also.
answered Feb 16 at 15:08
gowenfawrgowenfawr
53.7k11114159
well this is the thing, my organic food store barely makes a profit, i pay all my employees in the area a decent wage. The thing that bothers me about this is that none of the pci compliance sites are explicit about what they are protecting you against. The issue with internet security overall is that some [robot] has to get the credit card information along the way, we can start scanning employees pockets when we process their credit card payments. I would think that NCR imposes really good security measures on their credit card processes. And no, its obvious that we don't store the info
– thinksinbinary
Feb 17 at 1:31
1
@thinksinbinary: NCR may have good security measures, but processors are not the ultimate target of responsibility of the audit, merchants are. You should contact NCR and ask them for advice on how to fill your SAQ. Completing a SAQ is pretty simple process, if you already use a processor, you'd be answering most questions N/A anyway. If you have done SAQ and found that you are lacking in several areas, that will still be viewed favorably than never having done any self-audit at all. You don't want the bank the be the one auditing you after an "event".
– Lie Ryan
Feb 17 at 2:00
1
@thinksinbinary: ultimately the PCI compliance isn't about protecting merchant. It's about protecting the bank customer's credit card from misuse. For better or worse, the credit card system has been designed to favour customers rather than merchants, but merchants are responsible for implementing parts of the security measures. While merchants aren't directly negatively affected by card data leaks, so the way banks force merchants to take their responsibility seriously is with chargebacks, fines, and blacklist.
– Lie Ryan
Feb 17 at 3:34
@thinksinbinary updated the end of the answer to address your comment.
– gowenfawr
Feb 17 at 3:44
i thought about this a lot today, one thing i could do is plug my computer into the router of the POS processor and run wireshark to see if the packets are encrypted. Just kidding. I don't even own an organic food store, you all aren't paranoid and secure enough about who you give information to.
– thinksinbinary
Feb 17 at 6:11
|
show 1 more comment
Cyber criminals use spam to send fake (phishing) emails. If your business gets caught by one, the attacker has a way into your network, where they will scan for your POS system. Many small businesses have been hacked because their POS service provider was hacked, and all the clients on their list were penetrated. No business is too small, because many criminals are in a different country, and don’t know anything about you or your size. You are just another gold nugget to be mined in the eyes of these criminals.
Why comply with PCI-DSS? Because your business will be held liable for all losses associated with any breach you’re involved in. If you have a customer with a million dollar credit limit on their card, and the thieves who stole it from you use it to buy a Ferrari, you’re liable for the whole amount.
It sounds like you’re a Tier 1 merchant, so take the self-assessment route, if you can. It won’t get you completely off the hook if your POS system is breached, but at least you’ll have someone else to shoulder the burden.
Also, take the opportunity to learn about and convert to EMV chip cards, if you haven’t already. Mag stripes are worthless for security. Chip cards will protect you from a whole host of risks.
answered Feb 17 at 3:19
John DetersJohn Deters
28.8k34392
assuming that the business owner was "dumb" enough to fall victim to a phishing scam, it wouldn't matter because the POS is a seperate network.
– thinksinbinary
Feb 17 at 6:24
@thinksinbinary , that is an extremely short sighted approach. The Target hack started when a bookkeeper at an HVAC vendor (not even a Target employee!) fell for a phishing email. The hackers tunneled in through firewalls, virtual machines, isolated networks, and bypassed other security measures. Don’t imagine for a minute that your network is secure against these kinds of attackers, because it is not.
– John Deters
Feb 17 at 21:56
"that is a short sighted approach", John Deters, thanks for using your info-sec knowledge to help me. However, most people don't wear bullet proof vests despite the real possibility of getting shot in public in 2019. Target is a serious target for hacking because of their size and indescretion. I've read the SAQ and some of the requirements aren't necessary for this small organic food business, but PCI compliance is currently threatening the financial security of the low-profit store. In the end they should hire the fancy expert but my job is to find out if they need it, and how much to pay.
– thinksinbinary
Feb 19 at 13:09
I’m sorry, that was unnecessarily rude of me. I should have said I’ve seen faith in technical solutions approaching hubris, and seen them fail often enough to know that no single technical solution is adequate once the bad guys are inside the network. I don’t think anyone should rest on “I segmented the network so my job is done.” Those bad guys didn’t choose Target, they were simply drilling into the compromised HVAC vendor and found a link to Target they exploited. Access to the HVAC system was sold by the original phishing spammer for $70; he didn’t know it was the entrance to a gold mine.
– John Deters
Feb 19 at 19:30
nah you werent so rude, its just that the store i was helping doesn't need PCI compliance tests because they have a very simple system and don't make much money: the POS is a seperate system, and i ran wireshark while connected to the server and the packets are unreadable without encryption cracking. Plus, the employees can't install new software on the two POS tablets.
– thinksinbinary
Feb 20 at 21:51
|
show 1 more comment
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203670%2fdo-you-need-to-hire-a-professional-in-order-to-be-pci-compliant%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
If you handle credit card numbers, then yes, you have to be certified by a qualified auditor and this certification requires you hiring an external/independent PCI qualified security assessor.
However, you don't have to handle credit card numbers to be able to receive credit card payments. Instead, most smaller merchants use a PCI compliant payment processor like Stripe or PayPal to process card transactions. This reduces the scope of your PCI compliance signficantly, and you can be PCI compliant by just doing the PCI SAQ (Self Assessment Questionnaire), which you can do yourself without hiring a PCI auditor. Depending on your business type and how you handle card payments, there are different SAQs. The SAQ questionnaires will tell you if you need to actually use an auditor, which is primarily based on the volume of your expected transactions, mechanism you integrate with your payment processor, and how you handle card data.
Primarily, you want to outsource as much as possible of your payment processing to the payment processor to reduce your scope and avoid handling card numbers.
answered Feb 16 at 3:36
Lie RyanLie Ryan
23.5k35077
add a comment |
If you handle credit card numbers, then yes, you have to be certified by a qualified auditor and this certification requires you hiring an external/independent PCI qualified security assessor.
However, you don't have to handle credit card numbers to be able to receive credit card payments. Instead, most smaller merchants use a PCI compliant payment processor like Stripe or PayPal to process card transactions. This reduces the scope of your PCI compliance signficantly, and you can be PCI compliant by just doing the PCI SAQ (Self Assessment Questionnaire), which you can do yourself without hiring a PCI auditor. Depending on your business type and how you handle card payments, there are different SAQs. The SAQ questionnaires will tell you if you need to actually use an auditor, which is primarily based on the volume of your expected transactions, mechanism you integrate with your payment processor, and how you handle card data.
Primarily, you want to outsource as much as possible of your payment processing to the payment processor to reduce your scope and avoid handling card numbers.
answered Feb 16 at 3:36
Lie RyanLie Ryan
23.5k35077
add a comment |
If you handle credit card numbers, then yes, you have to be certified by a qualified auditor and this certification requires you hiring an external/independent PCI qualified security assessor.
However, you don't have to handle credit card numbers to be able to receive credit card payments. Instead, most smaller merchants use a PCI compliant payment processor like Stripe or PayPal to process card transactions. This reduces the scope of your PCI compliance signficantly, and you can be PCI compliant by just doing the PCI SAQ (Self Assessment Questionnaire), which you can do yourself without hiring a PCI auditor. Depending on your business type and how you handle card payments, there are different SAQs. The SAQ questionnaires will tell you if you need to actually use an auditor, which is primarily based on the volume of your expected transactions, mechanism you integrate with your payment processor, and how you handle card data.
Primarily, you want to outsource as much as possible of your payment processing to the payment processor to reduce your scope and avoid handling card numbers.
answered Feb 16 at 3:36
Lie RyanLie Ryan
23.5k35077
If you handle credit card numbers, then yes, you have to be certified by a qualified auditor and this certification requires you hiring an external/independent PCI qualified security assessor.
However, you don't have to handle credit card numbers to be able to receive credit card payments. Instead, most smaller merchants use a PCI compliant payment processor like Stripe or PayPal to process card transactions. This reduces the scope of your PCI compliance signficantly, and you can be PCI compliant by just doing the PCI SAQ (Self Assessment Questionnaire), which you can do yourself without hiring a PCI auditor. Depending on your business type and how you handle card payments, there are different SAQs. The SAQ questionnaires will tell you if you need to actually use an auditor, which is primarily based on the volume of your expected transactions, mechanism you integrate with your payment processor, and how you handle card data.
Primarily, you want to outsource as much as possible of your payment processing to the payment processor to reduce your scope and avoid handling card numbers.
answered Feb 16 at 3:36
Lie RyanLie Ryan
23.5k35077
edited Feb 18 at 2:11
answered Feb 16 at 3:36
Lie RyanLie Ryan
23.5k35077
answered Feb 16 at 3:36
Lie RyanLie Ryan
23.5k35077
answered Feb 16 at 3:36
Lie RyanLie Ryan
23.5k35077
23.5k35077
add a comment |
add a comment |
Do you need to be cautious about security?
If you are using POS(Point of Sale system) a simple reason could be;
This Machine is simply request the money transfer. The credit card data being transferred to complete the transaction are sensitive and the whole process needs to be PCI (payment )compliance. You might not have online business but it only means less concern. Anyone can be target of cyber criminals in small or large scale and just a matter of time.
Start with PCI SAQ (Self Assessment Questionnaire) and this should give an idea if you still need a professional to run through that.
How much does it cost?
Depends on variable that will affect the overall cost, the size and type of business. The larger the organization, the more potential compliance gaps therefore more costly.
answered Feb 16 at 6:17
VcodeVcode
581128
add a comment |
Do you need to be cautious about security?
If you are using POS(Point of Sale system) a simple reason could be;
This Machine is simply request the money transfer. The credit card data being transferred to complete the transaction are sensitive and the whole process needs to be PCI (payment )compliance. You might not have online business but it only means less concern. Anyone can be target of cyber criminals in small or large scale and just a matter of time.
Start with PCI SAQ (Self Assessment Questionnaire) and this should give an idea if you still need a professional to run through that.
How much does it cost?
Depends on variable that will affect the overall cost, the size and type of business. The larger the organization, the more potential compliance gaps therefore more costly.
answered Feb 16 at 6:17
VcodeVcode
581128
add a comment |
Do you need to be cautious about security?
If you are using POS(Point of Sale system) a simple reason could be;
This Machine is simply request the money transfer. The credit card data being transferred to complete the transaction are sensitive and the whole process needs to be PCI (payment )compliance. You might not have online business but it only means less concern. Anyone can be target of cyber criminals in small or large scale and just a matter of time.
Start with PCI SAQ (Self Assessment Questionnaire) and this should give an idea if you still need a professional to run through that.
How much does it cost?
Depends on variable that will affect the overall cost, the size and type of business. The larger the organization, the more potential compliance gaps therefore more costly.
answered Feb 16 at 6:17
VcodeVcode
581128
Do you need to be cautious about security?
If you are using POS(Point of Sale system) a simple reason could be;
This Machine is simply request the money transfer. The credit card data being transferred to complete the transaction are sensitive and the whole process needs to be PCI (payment )compliance. You might not have online business but it only means less concern. Anyone can be target of cyber criminals in small or large scale and just a matter of time.
Start with PCI SAQ (Self Assessment Questionnaire) and this should give an idea if you still need a professional to run through that.
How much does it cost?
Depends on variable that will affect the overall cost, the size and type of business. The larger the organization, the more potential compliance gaps therefore more costly.
answered Feb 16 at 6:17
VcodeVcode
581128
answered Feb 16 at 6:17
VcodeVcode
581128
answered Feb 16 at 6:17
VcodeVcode
581128
answered Feb 16 at 6:17
VcodeVcode
581128
581128
add a comment |
add a comment |
i run an organic food store, and after a conference call with my
credit card service (card connect), do i really have to hire a PCI
certified professional once a year in order to be pci compliant?
You probably do not need to hire a PCI certified professional, because unless you're a particularly large organic food store, you are likely small enough that the Self-Assessment Questionnaire will suffice. (The caveat being that your processor may compel you to have an audit instead of an SAQ, but that would usually only be the case for a small merchant who had a history of compliance problems).
If you've never gone through the process, then hiring an auditor at least once is a good idea. They can help you understand the issues so that handling the SAQ will be easier for you in future years. They can point out security issues that the SAQ might not make apparent to you.
If this is the case, how much does it cost?
That varies widely by the size and location of your business, and by the individual auditor you might engage, so it's impossible for us to say. The standard advice of "get multiple quotes" applies.
Or am I just misreading things, i don't think any "cyber criminal" is going to target my business.
If you handle cards, you are a target of opportunity. They may not know or care who you are, but they'll hit you nonetheless. It's not about your level of profit, it's about the fact that customers hand you cards, and each card represents thousands of potential dollars, and a useful smaller amount of real dollars to the attacker who sells it down the line. PCI DSS is not about employees, it's about infrastructure and practices to protect the cards that have to flit across your business on their way to the processor.
Sure, NCR does a lot to protect the cards - but a necessary step, imposed by the card brands, is to make sure that Merchants do their part also.
answered Feb 16 at 15:08
gowenfawrgowenfawr
53.7k11114159
well this is the thing, my organic food store barely makes a profit, i pay all my employees in the area a decent wage. The thing that bothers me about this is that none of the pci compliance sites are explicit about what they are protecting you against. The issue with internet security overall is that some [robot] has to get the credit card information along the way, we can start scanning employees pockets when we process their credit card payments. I would think that NCR imposes really good security measures on their credit card processes. And no, its obvious that we don't store the info
– thinksinbinary
Feb 17 at 1:31
1
@thinksinbinary: NCR may have good security measures, but processors are not the ultimate target of responsibility of the audit, merchants are. You should contact NCR and ask them for advice on how to fill your SAQ. Completing a SAQ is pretty simple process, if you already use a processor, you'd be answering most questions N/A anyway. If you have done SAQ and found that you are lacking in several areas, that will still be viewed favorably than never having done any self-audit at all. You don't want the bank the be the one auditing you after an "event".
– Lie Ryan
Feb 17 at 2:00
1
@thinksinbinary: ultimately the PCI compliance isn't about protecting merchant. It's about protecting the bank customer's credit card from misuse. For better or worse, the credit card system has been designed to favour customers rather than merchants, but merchants are responsible for implementing parts of the security measures. While merchants aren't directly negatively affected by card data leaks, so the way banks force merchants to take their responsibility seriously is with chargebacks, fines, and blacklist.
– Lie Ryan
Feb 17 at 3:34
@thinksinbinary updated the end of the answer to address your comment.
– gowenfawr
Feb 17 at 3:44
i thought about this a lot today, one thing i could do is plug my computer into the router of the POS processor and run wireshark to see if the packets are encrypted. Just kidding. I don't even own an organic food store, you all aren't paranoid and secure enough about who you give information to.
– thinksinbinary
Feb 17 at 6:11
|
show 1 more comment
i run an organic food store, and after a conference call with my
credit card service (card connect), do i really have to hire a PCI
certified professional once a year in order to be pci compliant?
You probably do not need to hire a PCI certified professional, because unless you're a particularly large organic food store, you are likely small enough that the Self-Assessment Questionnaire will suffice. (The caveat being that your processor may compel you to have an audit instead of an SAQ, but that would usually only be the case for a small merchant who had a history of compliance problems).
If you've never gone through the process, then hiring an auditor at least once is a good idea. They can help you understand the issues so that handling the SAQ will be easier for you in future years. They can point out security issues that the SAQ might not make apparent to you.
If this is the case, how much does it cost?
That varies widely by the size and location of your business, and by the individual auditor you might engage, so it's impossible for us to say. The standard advice of "get multiple quotes" applies.
Or am I just misreading things, i don't think any "cyber criminal" is going to target my business.
If you handle cards, you are a target of opportunity. They may not know or care who you are, but they'll hit you nonetheless. It's not about your level of profit, it's about the fact that customers hand you cards, and each card represents thousands of potential dollars, and a useful smaller amount of real dollars to the attacker who sells it down the line. PCI DSS is not about employees, it's about infrastructure and practices to protect the cards that have to flit across your business on their way to the processor.
Sure, NCR does a lot to protect the cards - but a necessary step, imposed by the card brands, is to make sure that Merchants do their part also.
answered Feb 16 at 15:08
gowenfawrgowenfawr
53.7k11114159
well this is the thing, my organic food store barely makes a profit, i pay all my employees in the area a decent wage. The thing that bothers me about this is that none of the pci compliance sites are explicit about what they are protecting you against. The issue with internet security overall is that some [robot] has to get the credit card information along the way, we can start scanning employees pockets when we process their credit card payments. I would think that NCR imposes really good security measures on their credit card processes. And no, its obvious that we don't store the info
– thinksinbinary
Feb 17 at 1:31
1
@thinksinbinary: NCR may have good security measures, but processors are not the ultimate target of responsibility of the audit, merchants are. You should contact NCR and ask them for advice on how to fill your SAQ. Completing a SAQ is pretty simple process, if you already use a processor, you'd be answering most questions N/A anyway. If you have done SAQ and found that you are lacking in several areas, that will still be viewed favorably than never having done any self-audit at all. You don't want the bank the be the one auditing you after an "event".
– Lie Ryan
Feb 17 at 2:00
1
@thinksinbinary: ultimately the PCI compliance isn't about protecting merchant. It's about protecting the bank customer's credit card from misuse. For better or worse, the credit card system has been designed to favour customers rather than merchants, but merchants are responsible for implementing parts of the security measures. While merchants aren't directly negatively affected by card data leaks, so the way banks force merchants to take their responsibility seriously is with chargebacks, fines, and blacklist.
– Lie Ryan
Feb 17 at 3:34
@thinksinbinary updated the end of the answer to address your comment.
– gowenfawr
Feb 17 at 3:44
i thought about this a lot today, one thing i could do is plug my computer into the router of the POS processor and run wireshark to see if the packets are encrypted. Just kidding. I don't even own an organic food store, you all aren't paranoid and secure enough about who you give information to.
– thinksinbinary
Feb 17 at 6:11
|
show 1 more comment
i run an organic food store, and after a conference call with my
credit card service (card connect), do i really have to hire a PCI
certified professional once a year in order to be pci compliant?
You probably do not need to hire a PCI certified professional, because unless you're a particularly large organic food store, you are likely small enough that the Self-Assessment Questionnaire will suffice. (The caveat being that your processor may compel you to have an audit instead of an SAQ, but that would usually only be the case for a small merchant who had a history of compliance problems).
If you've never gone through the process, then hiring an auditor at least once is a good idea. They can help you understand the issues so that handling the SAQ will be easier for you in future years. They can point out security issues that the SAQ might not make apparent to you.
If this is the case, how much does it cost?
That varies widely by the size and location of your business, and by the individual auditor you might engage, so it's impossible for us to say. The standard advice of "get multiple quotes" applies.
Or am I just misreading things, i don't think any "cyber criminal" is going to target my business.
If you handle cards, you are a target of opportunity. They may not know or care who you are, but they'll hit you nonetheless. It's not about your level of profit, it's about the fact that customers hand you cards, and each card represents thousands of potential dollars, and a useful smaller amount of real dollars to the attacker who sells it down the line. PCI DSS is not about employees, it's about infrastructure and practices to protect the cards that have to flit across your business on their way to the processor.
Sure, NCR does a lot to protect the cards - but a necessary step, imposed by the card brands, is to make sure that Merchants do their part also.
answered Feb 16 at 15:08
gowenfawrgowenfawr
53.7k11114159
i run an organic food store, and after a conference call with my
credit card service (card connect), do i really have to hire a PCI
certified professional once a year in order to be pci compliant?
You probably do not need to hire a PCI certified professional, because unless you're a particularly large organic food store, you are likely small enough that the Self-Assessment Questionnaire will suffice. (The caveat being that your processor may compel you to have an audit instead of an SAQ, but that would usually only be the case for a small merchant who had a history of compliance problems).
If you've never gone through the process, then hiring an auditor at least once is a good idea. They can help you understand the issues so that handling the SAQ will be easier for you in future years. They can point out security issues that the SAQ might not make apparent to you.
If this is the case, how much does it cost?
That varies widely by the size and location of your business, and by the individual auditor you might engage, so it's impossible for us to say. The standard advice of "get multiple quotes" applies.
Or am I just misreading things, i don't think any "cyber criminal" is going to target my business.
If you handle cards, you are a target of opportunity. They may not know or care who you are, but they'll hit you nonetheless. It's not about your level of profit, it's about the fact that customers hand you cards, and each card represents thousands of potential dollars, and a useful smaller amount of real dollars to the attacker who sells it down the line. PCI DSS is not about employees, it's about infrastructure and practices to protect the cards that have to flit across your business on their way to the processor.
Sure, NCR does a lot to protect the cards - but a necessary step, imposed by the card brands, is to make sure that Merchants do their part also.
answered Feb 16 at 15:08
gowenfawrgowenfawr
53.7k11114159
edited Feb 17 at 3:44
answered Feb 16 at 15:08
gowenfawrgowenfawr
53.7k11114159
answered Feb 16 at 15:08
gowenfawrgowenfawr
53.7k11114159
answered Feb 16 at 15:08
gowenfawrgowenfawr
53.7k11114159
53.7k11114159
well this is the thing, my organic food store barely makes a profit, i pay all my employees in the area a decent wage. The thing that bothers me about this is that none of the pci compliance sites are explicit about what they are protecting you against. The issue with internet security overall is that some [robot] has to get the credit card information along the way, we can start scanning employees pockets when we process their credit card payments. I would think that NCR imposes really good security measures on their credit card processes. And no, its obvious that we don't store the info
– thinksinbinary
Feb 17 at 1:31
1
@thinksinbinary: NCR may have good security measures, but processors are not the ultimate target of responsibility of the audit, merchants are. You should contact NCR and ask them for advice on how to fill your SAQ. Completing a SAQ is pretty simple process, if you already use a processor, you'd be answering most questions N/A anyway. If you have done SAQ and found that you are lacking in several areas, that will still be viewed favorably than never having done any self-audit at all. You don't want the bank the be the one auditing you after an "event".
– Lie Ryan
Feb 17 at 2:00
1
@thinksinbinary: ultimately the PCI compliance isn't about protecting merchant. It's about protecting the bank customer's credit card from misuse. For better or worse, the credit card system has been designed to favour customers rather than merchants, but merchants are responsible for implementing parts of the security measures. While merchants aren't directly negatively affected by card data leaks, so the way banks force merchants to take their responsibility seriously is with chargebacks, fines, and blacklist.
– Lie Ryan
Feb 17 at 3:34
@thinksinbinary updated the end of the answer to address your comment.
– gowenfawr
Feb 17 at 3:44
i thought about this a lot today, one thing i could do is plug my computer into the router of the POS processor and run wireshark to see if the packets are encrypted. Just kidding. I don't even own an organic food store, you all aren't paranoid and secure enough about who you give information to.
– thinksinbinary
Feb 17 at 6:11
|
show 1 more comment
well this is the thing, my organic food store barely makes a profit, i pay all my employees in the area a decent wage. The thing that bothers me about this is that none of the pci compliance sites are explicit about what they are protecting you against. The issue with internet security overall is that some [robot] has to get the credit card information along the way, we can start scanning employees pockets when we process their credit card payments. I would think that NCR imposes really good security measures on their credit card processes. And no, its obvious that we don't store the info
– thinksinbinary
Feb 17 at 1:31
1
@thinksinbinary: NCR may have good security measures, but processors are not the ultimate target of responsibility of the audit, merchants are. You should contact NCR and ask them for advice on how to fill your SAQ. Completing a SAQ is pretty simple process, if you already use a processor, you'd be answering most questions N/A anyway. If you have done SAQ and found that you are lacking in several areas, that will still be viewed favorably than never having done any self-audit at all. You don't want the bank the be the one auditing you after an "event".
– Lie Ryan
Feb 17 at 2:00
1
@thinksinbinary: ultimately the PCI compliance isn't about protecting merchant. It's about protecting the bank customer's credit card from misuse. For better or worse, the credit card system has been designed to favour customers rather than merchants, but merchants are responsible for implementing parts of the security measures. While merchants aren't directly negatively affected by card data leaks, so the way banks force merchants to take their responsibility seriously is with chargebacks, fines, and blacklist.
– Lie Ryan
Feb 17 at 3:34
@thinksinbinary updated the end of the answer to address your comment.
– gowenfawr
Feb 17 at 3:44
i thought about this a lot today, one thing i could do is plug my computer into the router of the POS processor and run wireshark to see if the packets are encrypted. Just kidding. I don't even own an organic food store, you all aren't paranoid and secure enough about who you give information to.
– thinksinbinary
Feb 17 at 6:11
well this is the thing, my organic food store barely makes a profit, i pay all my employees in the area a decent wage. The thing that bothers me about this is that none of the pci compliance sites are explicit about what they are protecting you against. The issue with internet security overall is that some [robot] has to get the credit card information along the way, we can start scanning employees pockets when we process their credit card payments. I would think that NCR imposes really good security measures on their credit card processes. And no, its obvious that we don't store the info
– thinksinbinary
Feb 17 at 1:31
well this is the thing, my organic food store barely makes a profit, i pay all my employees in the area a decent wage. The thing that bothers me about this is that none of the pci compliance sites are explicit about what they are protecting you against. The issue with internet security overall is that some [robot] has to get the credit card information along the way, we can start scanning employees pockets when we process their credit card payments. I would think that NCR imposes really good security measures on their credit card processes. And no, its obvious that we don't store the info
– thinksinbinary
Feb 17 at 1:31
1
1
@thinksinbinary: NCR may have good security measures, but processors are not the ultimate target of responsibility of the audit, merchants are. You should contact NCR and ask them for advice on how to fill your SAQ. Completing a SAQ is pretty simple process, if you already use a processor, you'd be answering most questions N/A anyway. If you have done SAQ and found that you are lacking in several areas, that will still be viewed favorably than never having done any self-audit at all. You don't want the bank the be the one auditing you after an "event".
– Lie Ryan
Feb 17 at 2:00
@thinksinbinary: NCR may have good security measures, but processors are not the ultimate target of responsibility of the audit, merchants are. You should contact NCR and ask them for advice on how to fill your SAQ. Completing a SAQ is pretty simple process, if you already use a processor, you'd be answering most questions N/A anyway. If you have done SAQ and found that you are lacking in several areas, that will still be viewed favorably than never having done any self-audit at all. You don't want the bank the be the one auditing you after an "event".
– Lie Ryan
Feb 17 at 2:00
1
1
@thinksinbinary: ultimately the PCI compliance isn't about protecting merchant. It's about protecting the bank customer's credit card from misuse. For better or worse, the credit card system has been designed to favour customers rather than merchants, but merchants are responsible for implementing parts of the security measures. While merchants aren't directly negatively affected by card data leaks, so the way banks force merchants to take their responsibility seriously is with chargebacks, fines, and blacklist.
– Lie Ryan
Feb 17 at 3:34
@thinksinbinary: ultimately the PCI compliance isn't about protecting merchant. It's about protecting the bank customer's credit card from misuse. For better or worse, the credit card system has been designed to favour customers rather than merchants, but merchants are responsible for implementing parts of the security measures. While merchants aren't directly negatively affected by card data leaks, so the way banks force merchants to take their responsibility seriously is with chargebacks, fines, and blacklist.
– Lie Ryan
Feb 17 at 3:34
@thinksinbinary updated the end of the answer to address your comment.
– gowenfawr
Feb 17 at 3:44
@thinksinbinary updated the end of the answer to address your comment.
– gowenfawr
Feb 17 at 3:44
i thought about this a lot today, one thing i could do is plug my computer into the router of the POS processor and run wireshark to see if the packets are encrypted. Just kidding. I don't even own an organic food store, you all aren't paranoid and secure enough about who you give information to.
– thinksinbinary
Feb 17 at 6:11
i thought about this a lot today, one thing i could do is plug my computer into the router of the POS processor and run wireshark to see if the packets are encrypted. Just kidding. I don't even own an organic food store, you all aren't paranoid and secure enough about who you give information to.
– thinksinbinary
Feb 17 at 6:11
|
show 1 more comment
Cyber criminals use spam to send fake (phishing) emails. If your business gets caught by one, the attacker has a way into your network, where they will scan for your POS system. Many small businesses have been hacked because their POS service provider was hacked, and all the clients on their list were penetrated. No business is too small, because many criminals are in a different country, and don’t know anything about you or your size. You are just another gold nugget to be mined in the eyes of these criminals.
Why comply with PCI-DSS? Because your business will be held liable for all losses associated with any breach you’re involved in. If you have a customer with a million dollar credit limit on their card, and the thieves who stole it from you use it to buy a Ferrari, you’re liable for the whole amount.
It sounds like you’re a Tier 1 merchant, so take the self-assessment route, if you can. It won’t get you completely off the hook if your POS system is breached, but at least you’ll have someone else to shoulder the burden.
Also, take the opportunity to learn about and convert to EMV chip cards, if you haven’t already. Mag stripes are worthless for security. Chip cards will protect you from a whole host of risks.
answered Feb 17 at 3:19
John DetersJohn Deters
28.8k34392
assuming that the business owner was "dumb" enough to fall victim to a phishing scam, it wouldn't matter because the POS is a seperate network.
– thinksinbinary
Feb 17 at 6:24
@thinksinbinary , that is an extremely short sighted approach. The Target hack started when a bookkeeper at an HVAC vendor (not even a Target employee!) fell for a phishing email. The hackers tunneled in through firewalls, virtual machines, isolated networks, and bypassed other security measures. Don’t imagine for a minute that your network is secure against these kinds of attackers, because it is not.
– John Deters
Feb 17 at 21:56
"that is a short sighted approach", John Deters, thanks for using your info-sec knowledge to help me. However, most people don't wear bullet proof vests despite the real possibility of getting shot in public in 2019. Target is a serious target for hacking because of their size and indescretion. I've read the SAQ and some of the requirements aren't necessary for this small organic food business, but PCI compliance is currently threatening the financial security of the low-profit store. In the end they should hire the fancy expert but my job is to find out if they need it, and how much to pay.
– thinksinbinary
Feb 19 at 13:09
I’m sorry, that was unnecessarily rude of me. I should have said I’ve seen faith in technical solutions approaching hubris, and seen them fail often enough to know that no single technical solution is adequate once the bad guys are inside the network. I don’t think anyone should rest on “I segmented the network so my job is done.” Those bad guys didn’t choose Target, they were simply drilling into the compromised HVAC vendor and found a link to Target they exploited. Access to the HVAC system was sold by the original phishing spammer for $70; he didn’t know it was the entrance to a gold mine.
– John Deters
Feb 19 at 19:30
nah you werent so rude, its just that the store i was helping doesn't need PCI compliance tests because they have a very simple system and don't make much money: the POS is a seperate system, and i ran wireshark while connected to the server and the packets are unreadable without encryption cracking. Plus, the employees can't install new software on the two POS tablets.
– thinksinbinary
Feb 20 at 21:51
|
show 1 more comment
Cyber criminals use spam to send fake (phishing) emails. If your business gets caught by one, the attacker has a way into your network, where they will scan for your POS system. Many small businesses have been hacked because their POS service provider was hacked, and all the clients on their list were penetrated. No business is too small, because many criminals are in a different country, and don’t know anything about you or your size. You are just another gold nugget to be mined in the eyes of these criminals.
Why comply with PCI-DSS? Because your business will be held liable for all losses associated with any breach you’re involved in. If you have a customer with a million dollar credit limit on their card, and the thieves who stole it from you use it to buy a Ferrari, you’re liable for the whole amount.
It sounds like you’re a Tier 1 merchant, so take the self-assessment route, if you can. It won’t get you completely off the hook if your POS system is breached, but at least you’ll have someone else to shoulder the burden.
Also, take the opportunity to learn about and convert to EMV chip cards, if you haven’t already. Mag stripes are worthless for security. Chip cards will protect you from a whole host of risks.
answered Feb 17 at 3:19
John DetersJohn Deters
28.8k34392
assuming that the business owner was "dumb" enough to fall victim to a phishing scam, it wouldn't matter because the POS is a seperate network.
– thinksinbinary
Feb 17 at 6:24
@thinksinbinary , that is an extremely short sighted approach. The Target hack started when a bookkeeper at an HVAC vendor (not even a Target employee!) fell for a phishing email. The hackers tunneled in through firewalls, virtual machines, isolated networks, and bypassed other security measures. Don’t imagine for a minute that your network is secure against these kinds of attackers, because it is not.
– John Deters
Feb 17 at 21:56
"that is a short sighted approach", John Deters, thanks for using your info-sec knowledge to help me. However, most people don't wear bullet proof vests despite the real possibility of getting shot in public in 2019. Target is a serious target for hacking because of their size and indescretion. I've read the SAQ and some of the requirements aren't necessary for this small organic food business, but PCI compliance is currently threatening the financial security of the low-profit store. In the end they should hire the fancy expert but my job is to find out if they need it, and how much to pay.
– thinksinbinary
Feb 19 at 13:09
I’m sorry, that was unnecessarily rude of me. I should have said I’ve seen faith in technical solutions approaching hubris, and seen them fail often enough to know that no single technical solution is adequate once the bad guys are inside the network. I don’t think anyone should rest on “I segmented the network so my job is done.” Those bad guys didn’t choose Target, they were simply drilling into the compromised HVAC vendor and found a link to Target they exploited. Access to the HVAC system was sold by the original phishing spammer for $70; he didn’t know it was the entrance to a gold mine.
– John Deters
Feb 19 at 19:30
nah you werent so rude, its just that the store i was helping doesn't need PCI compliance tests because they have a very simple system and don't make much money: the POS is a seperate system, and i ran wireshark while connected to the server and the packets are unreadable without encryption cracking. Plus, the employees can't install new software on the two POS tablets.
– thinksinbinary
Feb 20 at 21:51
|
show 1 more comment
Cyber criminals use spam to send fake (phishing) emails. If your business gets caught by one, the attacker has a way into your network, where they will scan for your POS system. Many small businesses have been hacked because their POS service provider was hacked, and all the clients on their list were penetrated. No business is too small, because many criminals are in a different country, and don’t know anything about you or your size. You are just another gold nugget to be mined in the eyes of these criminals.
Why comply with PCI-DSS? Because your business will be held liable for all losses associated with any breach you’re involved in. If you have a customer with a million dollar credit limit on their card, and the thieves who stole it from you use it to buy a Ferrari, you’re liable for the whole amount.
It sounds like you’re a Tier 1 merchant, so take the self-assessment route, if you can. It won’t get you completely off the hook if your POS system is breached, but at least you’ll have someone else to shoulder the burden.
Also, take the opportunity to learn about and convert to EMV chip cards, if you haven’t already. Mag stripes are worthless for security. Chip cards will protect you from a whole host of risks.
answered Feb 17 at 3:19
John DetersJohn Deters
28.8k34392
Cyber criminals use spam to send fake (phishing) emails. If your business gets caught by one, the attacker has a way into your network, where they will scan for your POS system. Many small businesses have been hacked because their POS service provider was hacked, and all the clients on their list were penetrated. No business is too small, because many criminals are in a different country, and don’t know anything about you or your size. You are just another gold nugget to be mined in the eyes of these criminals.
Why comply with PCI-DSS? Because your business will be held liable for all losses associated with any breach you’re involved in. If you have a customer with a million dollar credit limit on their card, and the thieves who stole it from you use it to buy a Ferrari, you’re liable for the whole amount.
It sounds like you’re a Tier 1 merchant, so take the self-assessment route, if you can. It won’t get you completely off the hook if your POS system is breached, but at least you’ll have someone else to shoulder the burden.
Also, take the opportunity to learn about and convert to EMV chip cards, if you haven’t already. Mag stripes are worthless for security. Chip cards will protect you from a whole host of risks.
answered Feb 17 at 3:19
John DetersJohn Deters
28.8k34392
answered Feb 17 at 3:19
John DetersJohn Deters
28.8k34392
answered Feb 17 at 3:19
John DetersJohn Deters
28.8k34392
answered Feb 17 at 3:19
John DetersJohn Deters
28.8k34392
28.8k34392
assuming that the business owner was "dumb" enough to fall victim to a phishing scam, it wouldn't matter because the POS is a seperate network.
– thinksinbinary
Feb 17 at 6:24
@thinksinbinary , that is an extremely short sighted approach. The Target hack started when a bookkeeper at an HVAC vendor (not even a Target employee!) fell for a phishing email. The hackers tunneled in through firewalls, virtual machines, isolated networks, and bypassed other security measures. Don’t imagine for a minute that your network is secure against these kinds of attackers, because it is not.
– John Deters
Feb 17 at 21:56
"that is a short sighted approach", John Deters, thanks for using your info-sec knowledge to help me. However, most people don't wear bullet proof vests despite the real possibility of getting shot in public in 2019. Target is a serious target for hacking because of their size and indescretion. I've read the SAQ and some of the requirements aren't necessary for this small organic food business, but PCI compliance is currently threatening the financial security of the low-profit store. In the end they should hire the fancy expert but my job is to find out if they need it, and how much to pay.
– thinksinbinary
Feb 19 at 13:09
I’m sorry, that was unnecessarily rude of me. I should have said I’ve seen faith in technical solutions approaching hubris, and seen them fail often enough to know that no single technical solution is adequate once the bad guys are inside the network. I don’t think anyone should rest on “I segmented the network so my job is done.” Those bad guys didn’t choose Target, they were simply drilling into the compromised HVAC vendor and found a link to Target they exploited. Access to the HVAC system was sold by the original phishing spammer for $70; he didn’t know it was the entrance to a gold mine.
– John Deters
Feb 19 at 19:30
nah you werent so rude, its just that the store i was helping doesn't need PCI compliance tests because they have a very simple system and don't make much money: the POS is a seperate system, and i ran wireshark while connected to the server and the packets are unreadable without encryption cracking. Plus, the employees can't install new software on the two POS tablets.
– thinksinbinary
Feb 20 at 21:51
|
show 1 more comment
assuming that the business owner was "dumb" enough to fall victim to a phishing scam, it wouldn't matter because the POS is a seperate network.
– thinksinbinary
Feb 17 at 6:24
@thinksinbinary , that is an extremely short sighted approach. The Target hack started when a bookkeeper at an HVAC vendor (not even a Target employee!) fell for a phishing email. The hackers tunneled in through firewalls, virtual machines, isolated networks, and bypassed other security measures. Don’t imagine for a minute that your network is secure against these kinds of attackers, because it is not.
– John Deters
Feb 17 at 21:56
"that is a short sighted approach", John Deters, thanks for using your info-sec knowledge to help me. However, most people don't wear bullet proof vests despite the real possibility of getting shot in public in 2019. Target is a serious target for hacking because of their size and indescretion. I've read the SAQ and some of the requirements aren't necessary for this small organic food business, but PCI compliance is currently threatening the financial security of the low-profit store. In the end they should hire the fancy expert but my job is to find out if they need it, and how much to pay.
– thinksinbinary
Feb 19 at 13:09
I’m sorry, that was unnecessarily rude of me. I should have said I’ve seen faith in technical solutions approaching hubris, and seen them fail often enough to know that no single technical solution is adequate once the bad guys are inside the network. I don’t think anyone should rest on “I segmented the network so my job is done.” Those bad guys didn’t choose Target, they were simply drilling into the compromised HVAC vendor and found a link to Target they exploited. Access to the HVAC system was sold by the original phishing spammer for $70; he didn’t know it was the entrance to a gold mine.
– John Deters
Feb 19 at 19:30
nah you werent so rude, its just that the store i was helping doesn't need PCI compliance tests because they have a very simple system and don't make much money: the POS is a seperate system, and i ran wireshark while connected to the server and the packets are unreadable without encryption cracking. Plus, the employees can't install new software on the two POS tablets.
– thinksinbinary
Feb 20 at 21:51
assuming that the business owner was "dumb" enough to fall victim to a phishing scam, it wouldn't matter because the POS is a seperate network.
– thinksinbinary
Feb 17 at 6:24
assuming that the business owner was "dumb" enough to fall victim to a phishing scam, it wouldn't matter because the POS is a seperate network.
– thinksinbinary
Feb 17 at 6:24
@thinksinbinary , that is an extremely short sighted approach. The Target hack started when a bookkeeper at an HVAC vendor (not even a Target employee!) fell for a phishing email. The hackers tunneled in through firewalls, virtual machines, isolated networks, and bypassed other security measures. Don’t imagine for a minute that your network is secure against these kinds of attackers, because it is not.
– John Deters
Feb 17 at 21:56
@thinksinbinary , that is an extremely short sighted approach. The Target hack started when a bookkeeper at an HVAC vendor (not even a Target employee!) fell for a phishing email. The hackers tunneled in through firewalls, virtual machines, isolated networks, and bypassed other security measures. Don’t imagine for a minute that your network is secure against these kinds of attackers, because it is not.
– John Deters
Feb 17 at 21:56
"that is a short sighted approach", John Deters, thanks for using your info-sec knowledge to help me. However, most people don't wear bullet proof vests despite the real possibility of getting shot in public in 2019. Target is a serious target for hacking because of their size and indescretion. I've read the SAQ and some of the requirements aren't necessary for this small organic food business, but PCI compliance is currently threatening the financial security of the low-profit store. In the end they should hire the fancy expert but my job is to find out if they need it, and how much to pay.
– thinksinbinary
Feb 19 at 13:09
"that is a short sighted approach", John Deters, thanks for using your info-sec knowledge to help me. However, most people don't wear bullet proof vests despite the real possibility of getting shot in public in 2019. Target is a serious target for hacking because of their size and indescretion. I've read the SAQ and some of the requirements aren't necessary for this small organic food business, but PCI compliance is currently threatening the financial security of the low-profit store. In the end they should hire the fancy expert but my job is to find out if they need it, and how much to pay.
– thinksinbinary
Feb 19 at 13:09
I’m sorry, that was unnecessarily rude of me. I should have said I’ve seen faith in technical solutions approaching hubris, and seen them fail often enough to know that no single technical solution is adequate once the bad guys are inside the network. I don’t think anyone should rest on “I segmented the network so my job is done.” Those bad guys didn’t choose Target, they were simply drilling into the compromised HVAC vendor and found a link to Target they exploited. Access to the HVAC system was sold by the original phishing spammer for $70; he didn’t know it was the entrance to a gold mine.
– John Deters
Feb 19 at 19:30
I’m sorry, that was unnecessarily rude of me. I should have said I’ve seen faith in technical solutions approaching hubris, and seen them fail often enough to know that no single technical solution is adequate once the bad guys are inside the network. I don’t think anyone should rest on “I segmented the network so my job is done.” Those bad guys didn’t choose Target, they were simply drilling into the compromised HVAC vendor and found a link to Target they exploited. Access to the HVAC system was sold by the original phishing spammer for $70; he didn’t know it was the entrance to a gold mine.
– John Deters
Feb 19 at 19:30
nah you werent so rude, its just that the store i was helping doesn't need PCI compliance tests because they have a very simple system and don't make much money: the POS is a seperate system, and i ran wireshark while connected to the server and the packets are unreadable without encryption cracking. Plus, the employees can't install new software on the two POS tablets.
– thinksinbinary
Feb 20 at 21:51
nah you werent so rude, its just that the store i was helping doesn't need PCI compliance tests because they have a very simple system and don't make much money: the POS is a seperate system, and i ran wireshark while connected to the server and the packets are unreadable without encryption cracking. Plus, the employees can't install new software on the two POS tablets.
– thinksinbinary
Feb 20 at 21:51
|
show 1 more comment
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203670%2fdo-you-need-to-hire-a-professional-in-order-to-be-pci-compliant%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
ncrsilver.com/what-is-pci-compliance
– they
Feb 16 at 2:59
1
"i don't think any "cyber criminal" is going to target my business." Wow.
– Joseph Sible
Feb 16 at 3:46
5
To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.
– Ed Grimm
Feb 16 at 4:01
@they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.
– thinksinbinary
Feb 16 at 4:06
2
There are different levels of compliance depending on your volume. I'm not very up to date with PCI DSS but from memory levels 3 and 4 you can self-certify
– paj28
Feb 16 at 8:07