Re: mobile POS system

[Mark Monroe <markm196 () NETSCAPE NET>]

Thank you for all of your comments.

They have been very helpful.

Mark

Memisyazici, Aras wrote:
> Having actually faced this situation 1st hand, please allow me to
> relay my condolences... Believe me I understand your pain my friend!
>
> With that being said, me and my partner in crime did the following to
> satisfy PCI compliance for a mobile station by:
>
> 1) Those that did support being hooked up to LAN via physical cable,
> were in fact converted.
>
> 2) Those that WEREN'T capable, we bought a Linksys router, put OpenWRT
> on it and configured it to negotiate @ WPA2-AES/PSK and enabled the
> built-in FW features (way more capable & smarter than the std. one) on
> the router as well as ensured 1-to-1 NAT (given our current
> wired/wireless network infrastructure and the way the mother-app was
> designed this was a necessity) had only the absolute minimum required
> ports being forwarded. The router of course was plugged into the LAN
> uplink-wise and physically secured so noone could interrupt it's
> functionality
>
> 3) The client was Embedded XP based (*shudders*) so, we setup stunnel
> on it with a 4096-bit key for the port(s) it communicated on, then
> d/l'd and installed Comodo FW and (disabled the joke-of-a-win-fw) set
> it up to only allow traffic from the 'server' and no where else.
>
> 4) Ensured physically it was inaccessible by placing it in a lockable
> podium and located it in a public area so that if anyone attempted to
> tinker with the lock, it would grab attention.
>
> 5) Locked down the system via Local Security Policy and ensured
> passwords were long, complex and salted!
>
> 6) On the server setup stunnel to receive said traffic with
> corresponding key.
>
> With all of the above in place, informed the mgmt that best practice
> was to NOT use the system, only for when absolutely necessary... And
> to take it down as soon as the need was satisfied.
>
> We passed our internal audit that way (which as Valdis pointed out is
> a group of infosec pros that are EXTREMELY hard to convince on
> anything :p )
>
> Hope this helps,
>
> Aras "Russ" Memisyazici
> Systems Administrator
> CISSP, GCIH, GCIA, GCFA Trained
>
> Office of the Vice President for Research
> Virginia Tech
>
>
> P.S. This year an outside PCI approved auditor is coming apparently...
> (I've recently been promoted to another dept. and am thankfully no
> longer responsible for PCI compliance!) I'll keep my eyes open on that
> and let you know how it goes!=