Hello Tessiturians,
This is mainly for those of you who have become PCI compliant and are still using Tessitura to process credit card payments.....How have you managed to do it?!?
The scope of PCI says that the card data environment includes any systems that store, process and / or transmit cardholder data. Alot of people seem to be trying to de-scope by turning off card storage, but in my opinion, and that of 2 QSA's that visit us, this isn't the case. By that definition any machine that has Tessitura installed must be PCI compliant. We did try to get around this with our QSA by suggesting Citrix Xen App, where by the application is running on a remote server, and all communication is encrypted, the user can't even copy and paste out of the Xen App, however the QSA advised that since the user is still entering the card number on that end machine, it is still in scope...how are other people solving this?
The second one, which was recently sprung on us...according to requirement 1.2.1:
"Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment."
The QSA recently advised that this would basically mean, only Tessitura could be on the machine, as things like email and "general" internet access could not be deemed necessary for the cardholder data environment. The suggestion to resolve this was to put a machine in the room that had email and Internet but this completely ruined our communication lines. How are people resolving this issue?
We are started to really struggle with this, and putting it off really isn't an option anymore as we are being pressed by our merchant bank. Does anyone have a magic PCI compliance pill or something?!?
Hi Simon
I know we have both email and web filters (proxy) set up so all email and web traffic is monitored and restricted as necessary. As both email and internet are required by the Box Office (customer queries and web ordering issues) and other teams that need access to Tessitura for their jobs.
Mark
Hi Mark,
Were those signed off by a QSA or have you self cerified those?
I would argue against the QSA for use of XEN APP, as you do not process and/or transmit data from that workstation. You are doing it from your data center (in scope).
Snip from Citrix chief security strategist:
The Citrix ICA protocol encrypts the communication channel between the user and the application, giving encryption (and strong authentication, if required) to any type of application and console access. XenApp also virtualizes and isolates the application from anything that may be running on the client, allowing even for control over local copy, paste, print, and local drive usage.' This clearly meets the spirit of Requirement 2.3.
http://security.networksasia.net/content/how-would-you-meet-pci-requirement-23-when-it-comes-terminal-service-or-rdp-sessions
And having other programs installed on your PC e.g. email, office etc.... should make no difference as you are not processing anything from the PC (the PC is not in scope)
Hi Wayne,
I completely agree, and argued the case for XenApp, though apparently 2.3 is for administrative access not normal user access. He agreed that it took our interim network out of scope because the traffic was encrpted, but gave the example. If a key stroke logger managed to find its way onto the end user machine, it could collect as many card numbers as needed, and because the end machine may not be as secure it could be sent out. In addition it wouldn't protect from a malicious user sending card numbers out by email. We discussed back and forth over several days and in the end it came down to..."If an end user device is being used to enter card details, its processing and transmitting them, and therefore is in scope."
The counter argument is that's what automatic patching of windows and Antivirus software on all the PCs, Servers and external facing application and web servers is for, which is kept up to date and the users cannot disable it, therefore trojans and viruses cannot get onto the users PC. (Requirement 10)
The fact is the user device is not being used process or transmit. No processing happens on the PC and no transmission happens from that PC, therefore it does not fall into scope. Where you enter the card details is irrelevant as that isn't what PCI states nor is it in the spirit of what PCI is trying to achieve. (I feel your pain!)
There is always an IF in their answers.
A full dumb terminal could be used for anyone that wanted Tess and Office access as I'm sure they don't fall in scope. All application are via XenApp. There must be a way of laying servers out so this would work.
Is this doc any use (you've probably read it already). To do with virutualisation and PCi
https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf
I'm at a virtualisation conference tomorrow in Birmingham. I will make it a point to find someone from Citrix and ask them this point.
Thanks Wayne,
We're moving Tessitura off of our Virtual infrastructure onto its own physical hardware (also virtualised) to seperate out the CDE. At the moment it looks like we may be putting a domain controller and Exchange server onto that box as well, and delivering it all via Citrix Desktop.
I did reference that document when trying to argue our case but he said that essentially the end-user device is mixed-mode because it contains both in and out of scope components.
It would be great if you you could speak to someone and get a definite answer. Thanks very much for your help.
When I spoke to the rep from Citrix about this, he agrees the qsa is wrong based on what you've said here. He said RBS use xenapp to access their systems (to name one) amongst a quarter (? I forget the figure the quoted) of the top 500 companies.
He did say the hypervisor is in scope and can't be shared without bringing the other apps/servers in scope (which I think you've mentioned above) . So too is the stretch of network that side of your firewall etc...
See if you can get a pci statement from Citrix about xenapp/desktop. As far as I'm aware, you certify your company is compliant reinforced by the qsa statement. If that is his only issue and you've a statement to counter him from the software creators I'd say well done.