Actually, you will get to talk to FOUR PCI Gurus this coming week. Bring us your hardest PCI questions.
Follow this link and register for our PCI Dream Team discussion on May 17 (depending on your time zone).
I hope to “see” you there. It should be a great time.
PCI Guru 
Can you use an Oracle Exadata storage for PCI and Non-PCI Data and still remain compliant??
Thanks!
https://polldaddy.com/js/rating/rating.js
Yes. But you need to ensure that you are not using iSCSI for your interface. Only fibre channel or similar is private. iSCSI can be private but requires a lot of configuration work that most people do not perform.
Thank you for the live event! Very informative. You even answered two of my questions!
Unfortunately I’m not able to attend the webinar due to the timing. However, I do have a vexing, difficult question I’d love to hear answered.
My company builds and hosts an ecommerce platform built specifically for the travel industry. The company’s clients use the ecommerce platform to sells all sorts of travel products both to businesses and direct to consumers. It may be the same in other industries, but in the world of travel there are a lot of antiquated business processes. One of them is causing us huge problems in our quest for our RoC.
The issue is how travel agents (my company’s customers) pay their suppliers (airlines, hoteliers, etc). When you make a holiday booking via a travel agent, normally you will pay the full transaction value to the travel agent who in turn will pay the airline and hotel company. This hides the travel agent’s markup from you and is how they make their money. To make the supplier payment, many suppliers *require* payment by card. To avoid the true cost of travel appearing on your bank statement, the travel agent will use their corporate credit card to pay the supplier.
Some suppliers such as low cost carriers (e.g. easyJet, Jet2, AerLingus, etc here in the UK) change their pricing frequently, so when a customer has seen a quote and makes a reservation, it is important to pay the supplier immediately. If the travel agent delays, and the price goes up, it erodes or negates their markup.
To facilitate immediate payment to suppliers, my company’s software allows them to store their own corporate credit cards. As the supplier websites and APIs treat each reservation as a separate transaction, they do not offer any account credit, tokenisation or recurring payment solutions – and require both PAN and CVV at time of booking through their booking APIs. As such, the software platform needs to store both the PAN and CVV of the corporate card in a retrievable fashion in order to send them across to the supplier.
To complicate matters, many businesses like to use a corporate travel agent to facilitate their travel bookings but wish to pay suppliers using their own corporate credit cards. They are happy to see two transactions on their bank statement, one to the product supplier and another to the travel agent for a booking fee. In this instance it is the business’ corporate card details that must be stored.
Obviously the DSS strictly prohibits the storing of CVV. The travel agent and their customers are aware of this storage and happy for it to happen as the business model simply breaks apart if suppliers cannot be paid immediately and automatically. The platform does not store any consumer credit card information and will never do this, but we can’t find a way to avoid holding corporate card details to support our clients’ ways of doing business.
The following diagram illustrates the payment sequence in this sort of transaction: http://i.imgur.com/9aZd4f7.png
How do we retain support for this business model but pass our PCI audit?
I have passed it along to the group.
I don’t have any pressing questions; is it okay if I come to listen and learn from the conversation?
https://polldaddy.com/js/rating/rating.js
Always!
Will this event cover PCI Logical Card production as well or focus on PCI-DSS only?
https://polldaddy.com/js/rating/rating.js
Any PCI issue is open for discussion.
Hi!
Due to other engagements I will not be able to attend the webinar, however I have a couple of questions regarding scoping of network infrastucture.
In a network that handles CHD, how would you classify a Layer2 swithch having a VLAN that is used for transmitting CHD-traffic? Will this be a PCI catagory1 device ie. anything that is connected to a switch port, regardles of what VLAN is configured on the port, will be “infected” and become part of the PCI-scope or is it possible to scope the switch as category2 meaning it is not infectious.
Related to the same conundrum, how should a firewall where you have CHD-traffic traversing some interfaces be classified? Clasifying it as category1 (infections) have quite large implications on the PCI-scopen since you will not be able to descope anything unless you have at least dual firewalls between your PCI-environment and the “not-in-scope” environment.
Br
/J
I have passed your question along to the “Dream Team” and will answer it during our session.
While I’d love to, that would be during work hours with the company identifiable via the IP address and management would frown on that since there are no NDAs in place. If you’ll take a question in written form, presuming you will post a link to the archive or something, here goes:
We use a managed MPLS system for remote office connectivity back to the data centers. This particular MPLS service was listed on the Council’s Service Provider page when we signed up years ago and they provide an AOC so they are PCI compliant. The MPLS connectivity is via “private” T-1’s with a backup Internet VPN DSL circuit. While the vendor provides the Internet VPN device in our remote offices and manages it fully, it is in fact an Internet circuit. We contract with the local Internet provider for the “first mile” connectivity to their MPLS “cloud”.
So it is a “PCI Approved” service but it is a public IP address that we and not the vendor contracted for. There is no option for the vendor to provide the “first mile” DSL connectivity because of our locations.
Question: Do WE have to perform a quarterly ASV scan of each remote office’s DSL Internet connection?
We did have them scanned when they went in years ago and there were no open ports inbound at all. There are internal factions on both sides of this issue. The (very large) MPLS vendor is just silent on the question when we ask. Having to ASV scan dozens more IP addresses would really raise the costs.
Sent your question on to the “Dream Team”. Thanks.