Hello everyone,
I'm wondering how people are reading PCI requirement 1.3 which states:
"Prohibit direct public access between the Internet and any system component in the cardholder data environment."
Transcend communicates through the Internet for authorization so is this in violation of this requirement?
Also items 1.3.1 - 1.3.8 talk about the use of a DMZ. Do you think this is saying that a DMZ is required? We don't have one now. Our web server is co-located. Our API and credit card server are behind our firewall. How do you all read this requirement?
Gloria
This is just my interpretation but I believe that direct public access means access inbound from the entire WAN. The API server only needs inbound access from your colocated webserver so it does not have direct public access. Your credit card server only performs outbound connections and it shouldn't have any ports opened inbound from the WAN (except possibly from your webserver) so you should be OK.
That being said... The cardholder data environment includes every machine on the same subnet as the Tessitura servers. If you allow direct access to any machine on your internal network that would be a violation and that machine should be moved to a DMZ. An example would be a mailserver that allows the entire WAN incoming access to port 25.
Again this is my interpretation. Hope it helps.
-Rich
I agree with Rich. And I highly recommend implementing a DMZ. : )