5

The PCI DSS compliance rules say that if we use any computers to take card payments via a web based virtual terminal, then those PCs must be isolated from the rest of the IT network (otherwise the entire IT network comes under the scope of PCI compliance).

We need multiple people in a call centre to be able to to take customer card payments over the phone using the virtual terminal. The trouble is those people will also need access to the rest of the IT network in order to do the rest of their job functions.

Is there any practical way to implement this? All I can think of is either extending the scope of PCI compliance to the whole network (which I would like to avoid) or providing each person with two PCs - one for the main part of their job and the other for the just for the card payments over the virtual terminal.

Does anyone have any practical experience of implementing this?

Simon White
  • 151
  • 1
  • My understanding (and I don't have a lot of experience here, so I'm only leaving this as a comment) is that you can just have machines that need to do this on a separate vlan from machines that don't need to accept payments, where there is a default deny ACL policy on whatever handles routing your inter-vlan traffic for packets to and from that vlan, so those machines only have access to what is absolutely necessary. – Joel Coel Jul 10 '15 at 03:55
  • Yes, by segmenting the network we can reduce the scope of the PCI compliance to just those PCs that access the virtual terminal - thus limiting the compliance burden. The thing I'm struggling with is that we have a sales team of many people and they all need access to both the virtual terminal and the rest of the network. So is there a practical solution where we don't have to have two PCs, two keyboards, two mice, two monitors for every salesperson? – Simon White Jul 14 '15 at 20:39

0 Answers0