Anyone allow outside telemarketing/telefunding people access to live Tessitura data from offsite through a VPN? Doesn't seem like that would pass PCI.
Thanks
Maybe someone from the RAMP team can speak to this more clearly, but I don't think that necessarily conflicts with PCI. All organizations using RAMP have all of their users connecting through a VPN and that side of things is the least of our PCI issues. The outside firm would need to be PCI compliant within their own office (policies and procedures). But for the VPN connection itself, you should be able to make the security PCI compliant.
Thanks for the reply Levi. My understanding is that when an outside person connects to our network with their network, which happens with VPN, I am now responsible for making sure their network is compliant as well. I don't know what their security polices are, their anti virus, if they will share the password, leave it open at a desk all day, etc. It just seems like I am opening my network to someone (who yes is PCI compliant) that I have no over site or control of.
I don't know the details of RAMP, but I assume they are connecting to their own "network" on the RAMP end and that each of those networks would be segregated from each other.
My understanding of the situation is that any service provider that has access to the cardholder data environment needs to provide you with their own PCI compliance paperwork. It is not up to you to police their environment, but it is reasonable to expect a compliant questionnaire from them.
Ah, that will allay my fears if I can see their questionnaire. Many thanks to both of you.