5 Replies Latest reply on Mar 24, 2016 11:59 AM by andrew

    PCI + Credit Card Gateway + Virtualization

    andrew Tracker

      Wondering if anyone out there has addressed PCI v3 with the Pharos Credit Card Gateway, particularly with servers in a clustered virtual environment (the hosts are clustered, not the guests).

      Where I'm coming from:

      We have implement this, but are now being told that we are going to have to move the servers off of our VMWare cluster into physical environment in order to be PCI v3 compliant. We are told this by our internal Information Privacy Security Office, and the PCI QSA they have hired agrees. The facts as we see them boil down a disagreement over whether the Gateway constitutes a "redirect server". We argue it does not, as there is no "redirect" as defined by the IETF. It is pretty straight-forward a link, the same as any other link a person would click on the Internet. "They" argue it is a redirect, and therefore as of PCI V3 "within scope", and therefore subject to the same rigors as we would face if we actually stored payment card data.

       

      What I want to find:
      I am having a hard time believing everyone out there who has invested in the virtual environment has migrated back to physical in order to meet PCI v3 requirements and would love to find someone who has fought that fight who could point me toward a strategy, especially one with documentable precedent. So far, the documents I have found issued by PCI to address virtualization date from 2011. https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf Though I have only begun to review it, I assume its information is out of date at best, and misinterpreted by our IPSO and their thugs, er, Qualified Security Assessors. VMWare has worked very hard to ensure their product does not fall out of favor among vendors needing PCI compliance.

      I am also having a hard time believing Pharos will continue to sell the gateway if the Payment Card Industry really meant for this to be handled this way, and, again, would love to find documentable refute for the idea that they did. In addition to the cost of the Gateway, now I'm expected to re-invest in at least 2 physical servers (I have none in my environment), re-invest in a SQL-capable backup solution, repurchase my Operating Systems; this is going to cost me somewhere in the neighborhood of $15,000 at a minimum. Plus the cost of the Gateway purchase (well, technically, we already bought that, but now it's going to be rendered useless).

       

      I intend to try to hit up VMWare on this as well, but I am hoping for returns from the Pharos world, too.

      Thank you for reading.

        • Re: PCI + Credit Card Gateway + Virtualization
          Steven English Guide

          Andrew,

           

          I contacted PayPal's integration team (855-684-1965)* and reached someone state-side who was in Merchant Services (or so I was told) with whom I was able to discuss this question in relative depth.

           

          To summarize, I was told that adding a button - which is essentially just a hyperlink - does not constitute a liability shift of any kind with regard to now being categorized as a "redirect server" because no credit card or financial data is ever viewed by us.  It was clarified that the "redirect server" in your question differs from the link provided by Pharos as some of PayPal's customers actually receive credit card information and then pass that information upstream to PayPal.

           

          IF that were the case with Pharos, then Pharos would fall in scope, but all Pharos does is provide a payment button that links the user to PayPal.  Pharos never sees any sensitive data, just a transaction confirmation that originates from PayPal and comes back downstream to the Pharos server.  He was quite clear that PayPal handles the scope of PCI compliance, and using a payment button is definitely OUT of scope, regardless of how it looks.

           

          Regards,

          Steven

           

          *Edit: PayPal Merchant Services 888-215-5506 (option 3 for engineering team?)

          2 of 2 people found this helpful
            • Re: PCI + Credit Card Gateway + Virtualization
              andrew Tracker

              Awesome feedback, Steven. And for what this is worth, I agree with what you have said.

              However, so far I have had numerous (2 in-house, 1 "external", all with PCI QSA published opinions ) reviews of this situation, and have been advised each time that the "button" as employed in the Pharos Gateway does, in fact, constitute "in scope" as a "redirect server" for PCI v.3 because of the (hidden) hyperlink being subjected to "man in the middle" or other hijack tactics if the server were compromised, and as such, must be segmented off from the network, firewalled, removed from the virtual environment, etc. etc. etc. I'm sure you can find the PCI v.3 documentation for yourself. While I have vehemently and boisterously objected to this, hired guns with the opposing view, especially since they have the backing of our internal auditing team, override common sense and all available documentation. I would love to see Pharos issue an official statement (white paper), or better yet 3rd party statements (I would think Paypal might be onboard), standing behind their assertion that I could use on my side in this argument. Alas, none exists. As such, we are probably going to stop using the Pharos Gateway (our plans for expansion have already been blocked by our internal auditors on the claim that it would affect our servicing rates). This is sad for a number of reasons, including but not limited to the fact that we will no longer be able to offer this service to our patrons. The worst part of all this is the fact that every bit of this is precipitated by the CYA mindset: we don't want to be the source of a breech for our patrons' data, but we surely don't want to be BLAMED for it; our auditors cover theirs because they don't want us to pass any liability on to them; Pharos doesn't issue any statements because they don't want any liabilities... I'm sure you can see the circle of joy here.

               

              Thank you so much for bringing this to my attention, and for affirming what I know to be true. If only I could convince our auditors (and their hired guns)...

              • Re: PCI + Credit Card Gateway + Virtualization
                andrew Tracker

                For anyone else out there, hopefully who is just starting out, it appears some clarity HAS been provided since I started this project. Here is an image of the meat of the information at pcicomplianceguide.org

                Paypal_and_the_PCI_DSS.jpg

                It points to this document, which contains this cute chart

                PCI_SAQ_Diffs.jpg

                which suggests one looking to implement Pharos Credit Card Gateway should fill out the PCI SAQ A form, found here (this document has changed substantially since the last copy I had of it, and the "before you begin" section has been made much more clear -- one lesson to take away from my experience: always check for newer versions of the document).

                Perusing through that form, when using the "Paypal Payments Button", as is done in Pharos Credit Card Gateway, it largely shall consist of checking "N/A" and getting someone to sign off that you're compliant. Finding that someone may be the real bear. Also, if you did not know (as I did not until about 20 minutes ago) you can now use the "fill & sign" facet in "Adobe Reader DC" or newer to fill in text and checkmark fields. There are also lots of other nifty tools in here that I know nothing about, but which might be of interest (e.g. "Send for Signature" seems quite applicable)

                I hope this is helpful to someone, if not myself, who is looking to put Pharos Credit Card Gateway into production.


                By the way, as to the "virtualized server" business... I have done no further research, as our concern is NOT PCI DSS "in scope", and further attempts to concern myself with that will obviously be less-than-fruitful, given that I would be working to resolve a problem which does not exist. For those in my organization who ARE concerning themselves with this, they are looking at building an entire VMWare cluster specifically to BE PCI compliant, which is probably the right answer where necessary, though not technically required if what read about VMWare's product is accurate.

                As always, any information contained herein is purely for entertainment purposes, etc.

              • Re: PCI + Credit Card Gateway + Virtualization
                Steven English Guide

                Also,  here is a link to the Version 3.0 documents from November of 2013.

                https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

                 

                Regards,

                Steven