Security expert? Me?

Way back in 1984, or thereabouts, when I got my very first computer (an Apple IIc is you must know), the last thing I ever thought I would have to be is a security expert. I thought it was enough that I mastered SuperCalc (and later, SC2, ’cause that’s how I roll) and make my name scroll diagonally on the screen x times.

Or, in 1989 when I was programming restaurant databases on old CP/M machines or running chain (Remanco users unite!) did I ever think I would have to be a security expert.

What about in late 1994 when I got my very first ‘real’ computer? First website in ’95, rockin’ the AOL account on a screamin’ fast 14.4 modem. Did I think I would have to be a security expert then? Nope.

Working help desk from 1997 – 1998?
Restaurant Point of Sales installation and training from 1999 to now?
Playing psuedo network/sys admin from ’00 – 02?

Nope, nope and nope.

But here we are. 2007. The internets aren’t safe any more. I’m stuck in a Windows world with Windows devs that make me use IE on office computers manned by women who could honestly give a crap about what kind of nastiness gets on their machines. Oh, but there is so much more!

My newest headache? PCI DSS.

The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.

The PCI Security Standards Council’s mission is to enhance payment account data security by fostering broad adoption of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International.

So, not just any security, but credit card security. I would have never guessed.

As it turns out, people like to pay for car washes with those little plastic cards. About 30K a month company wide. That’s a lots of swipes! And I’ve been tasked with keeping those numbers safe. Piece of cake. Lucky for me there is a 74 page doc of the requirements, a 14 page self questionairre and 25 page doc on the certification process (that luckily, I don’t have to deal with).

So my days for the last 2 months have been clogged with implementing advanced security procedures with users that are far less than advanced. The idea of a unique name and complex password (changed every 90 days please) to my users makes them give me the Lassie look, followed by smoke from their ears.

Expensive? Not as bad as you would think. New Sonicwall internet devices are on my desk waiting to be configured and installed. It’s also getting me an upgrade on my Corporate copy of Norton Antivirus with kick ass pricing from AT&T (I know!). Oh, and a VPN in another week or so. All good.

But, this week as I was continuing on through the 75 page document to the sections I haven’t completed, I come across the dreaded section 9. Physical security. It says, in not so many words, that any device where credit cards are stored must be secure. By secure I mean

  • Access limited. Besides a locked door, some type of badge access system in place
  • Monitored with a video camera
  • All access logged. Logs kept online for 3 months, retained for a year

“Hey, that’s awesome db! Nice to see someone doing something to protect my data!”

Yea, hey, no problem. But, here’s the thing. I don’t have 1 location where card holder data is stored.

I have 8.

For all it’s badness, the internet does some pretty neat things. One of those neat things is make is possible for retailers to swipe your credit card and get an approval back with voucher printed in less than 10 seconds. Actually, it’s closer to 7 (yes, I have timed it). It’s about a 4K packet being sent from the retailer to the processor and then returned with a yay or nay vote. The old way, with modem, used to take as long as 20 seconds. The bulk of that time was the hand shaking that had to happen between the retailer and the processor, because even at 33.6 speeds, 4K up and back is still a pretty speedy trip ya know?

Anyway, it’s because we process credit cards over the internet this way (instead of using a modem) that I have to do all of the extra work.

Section 9 could seriously mess all that up tho. I’m all about keeping stuff as secure as possible, but honestly, it’s not cost effective to do it the way I’m required. Also, for the low volume that I have to manage, I really think it’s overkill. Besides overkill, it’s cost prohibitive for our small company. Having to do any of the items in section 9 would actually ’cause me to have to revert back to dial-up for credit card processing. No body likes that. Customers don’t because transactions take longer. Processors don’t like it because they have to keep the modems revved up, plus the 800 number to dial into. It’s bad bad all the way around.

So, I have calls out to everyone I know that is doing this right now to see how much I’m really going to have to do. I’m hoping they come back with the information I want to hear.

Published by Don

Lead bottle washer at donburnside.com, host at whiteroofradio.com and tech guru for the MotoringFile family of sites.

Join the Conversation

3 Comments

  1. Ok, being the instruction parser that I have been forced to become – the first thing I have to ask is just what are they saying needs to be secured like this? The CC reader that connects to the processor for the authorization or some other magic box in the back offices?

    Lots of retailers swipe CCs right on their POS terminals located right on the sales floor – and most of those terminals aren’t dumb terminals – they can’t possibly be able to meet the requirements in that chapter. Obviously they can do it on the back side but their front end stuff can’t possibly be secured like this.

    If it’s just a backend box – yeah card access and camera’s are pretty unrealistic for you, but a secure enclosure of some sort certainly is…

  2. In a POS environment, the terminals usually aren’t ‘dumb’ nor do they hold the cc data. That informaiton is passed along to a piece of software (called a server most of the time) that does all of the transmission to the processor and holds all of the data. That server is usually located on a computer within the POS network that is usually kept in an office or something similiar.

    I don’t have these facilities available to me. A secure box might do the trick and it is something I have thought about, but there still has to be holes in it for ventilation and access for the display, keyboard, mouse and power switch.

    I’m hoping I don’t have to do anything too drastic

Leave a comment

Your email address will not be published. Required fields are marked *

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax

This site uses Akismet to reduce spam. Learn how your comment data is processed.