Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Credit Card Terminal

  1. #1
    Junior Member kdiggity317's Avatar
    Join Date
    Aug 2008
    Posts
    70

    Default Credit Card Terminal

    At my work we just got new Credit Card Terminals that run over the network rather then the old school dial system. This kinda posed a few questions to me and this is the only place I could turn to answer them. I was wondering if anyone knows anything about them. Such as do they encrypt the number on the card as well as the rest of the info before sending it over the network. Also would they still run if a program like ettercap or winshark were to be running? I have no intent on asking if anyone knows how to make any programs like that run or anything thats abit to black market for me and Im not one for doing jail time. I as well as my boss just want to make sure that our customers dont have anything to worry about. We have done all the steps to secure the network to the best of our abilities. Like making it a WPA key that has alphanumeric and really is not a work or anything of the sort. So like I said just a quetion I thought I would post up to see what comes about.

  2. #2
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    If it's worth a crap it's using a vpn connection back to where ever it's sending the data.
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  3. #3
    Good friend of the forums
    Join Date
    Jan 2010
    Location
    outside chicago, il
    Posts
    442

    Default

    I am interested in the answer too. My local bakery asked me to look into this for them. I started looking at it appears that they will need to purchase credit card machine and an account.

    I was just looking at http://merchantwarehouse.com/credit_...card_terminals
    and several have dual (dial up and IP) connections. I was wondering if a dial up unit was plugged into a telephone line and was called if the unit would pick up or ring. My guess is No to both. I was also wondering about where to place these terminals on the network. Should they be on the same segment as the accounting PCs? Should they be on a segment all there own? Can they handle being NATd?

    Thanks,
    I like the bleeding edge, but I don't like blood loss

  4. #4
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Put a tap on the ethernet line on the reader and capture it's traffic, see if it's sending out data in plain text. If it is, call the CC company and raise hell.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  5. #5
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    I haven't done anything with CC machines in a couple of years, but the last time I looked it was at cash registers (really just specialized PCs) with a built in mag-card reader. The info (cardholder's name, cc number, etc.) was sent on the network in the clear at that point. (And yes, it was a wireless network.)

    With more awareness of these issues and with PCI being a hot topic, hopefully the situation has improved. But I wouldn't bet money on it.
    Thorn
    Stop the TSA now! Boycott the airlines.

  6. #6
    Junior Member
    Join Date
    Mar 2009
    Posts
    83

    Default

    Quote Originally Posted by Thorn View Post
    I haven't done anything with CC machines in a couple of years, but the last time I looked it was at cash registers (really just specialized PCs) with a built in mag-card reader. The info (cardholder's name, cc number, etc.) was sent on the network in the clear at that point. (And yes, it was a wireless network.)

    With more awareness of these issues and with PCI being a hot topic, hopefully the situation has improved. But I wouldn't bet money on it.
    I saw a story about that on, I think it was my local news station. They had some guy out in the parking lot sniffing the wireless traffic and getting all kinds of information.

  7. #7
    Junior Member kdiggity317's Avatar
    Join Date
    Aug 2008
    Posts
    70

    Default

    Well I dont know about the VPN thing I would have to get ahold of the company and find out. I think I might do some testing on it and see what happens. See what kind of info its sending and what kind of IP its got. One question I have is can you hide an IP from the network as in if they have an IP which if they are on the network they would have to. Can I make that IP hidden or so the rest of the network cant see it? I would assume that would be at the router end, but not something I have ever run into at this point.

  8. #8
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by kdiggity317 View Post
    Well I dont know about the VPN thing I would have to get ahold of the company and find out. I think I might do some testing on it and see what happens. See what kind of info its sending and what kind of IP its got. One question I have is can you hide an IP from the network as in if they have an IP which if they are on the network they would have to. Can I make that IP hidden or so the rest of the network cant see it? I would assume that would be at the router end, but not something I have ever run into at this point.
    When you're dealing with CC information, I'd think the biggest concern would be interception of the traffic. Which was crux of the TJMaxx breach a few years ago. You do not want the CC information transmitted anywhere on your network in the clear. No, you cannot really hide the IP of the device, since it needs to participate on the network. You could put it behind it's own firewall, but if it's transmitting data in the clear, then it's a problem.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  9. #9
    Good friend of the forums
    Join Date
    Jan 2010
    Location
    outside chicago, il
    Posts
    442

    Default

    I guess a better question would be how does a business get into credit card processing? My bakery wants to take credit cards but doesn't want a PC. The units I was looking at (from the URL I posted previously) have integrated printers so everything is in one unit. What the owner wants is to swipe the card, customer enters pin on the remote keypad (if debit card), owner hands the receipt to customer, customer signs, owner compares the signature to CC and hands the card back to customer. So how does the money get from the credit card company to the owners account?

    Strictly speaking with these units I don't think the bakery would fall into having be PCI-DSS compliant as the unit just sends the data. Someone else handles the processing. And the bakery doesn't store any of the customers information. After all the bakery doesn't have a PC, networking equipment, etc. All the bakery needs is the unit to read the CC and a telephone line.

    Thanks,
    I like the bleeding edge, but I don't like blood loss

  10. #10
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by bofh28 View Post
    I guess a better question would be how does a business get into credit card processing?
    The business's bank should be able to help. Most banks that handle any small business commercial accounts have a "merchants' services division" that will setup and process credit/debit cards. There are also other, independent merchants' services companies, but dealing with the bank gives them a single point to deal with any issues. Have the bakery's owner start by asking his banker about it. It's a fairly simple process.

    Quote Originally Posted by bofh28 View Post
    So how does the money get from the credit card company to the owners account?
    The card payment processor pays directly into the bank account of the business*, usually after a delay of 24 to 48 hours. There will also be a transaction fee and a monthly processing fee. Those will vary according to the amount of money transferred and the number of transactions.

    *Usually, either a checking or savings/money market account. The bank can advise them which is best to use.

    Quote Originally Posted by bofh28 View Post
    Strictly speaking with these units I don't think the bakery would fall into having be PCI-DSS compliant as the unit just sends the data.
    That's a common misconception.

    I would recommend that you become passingly familiar with this subject if you're going to advise clients about it. Giving them incorrect information could be a lot worse then saying "I don't know."

    Merchants who process cards via a standalone dial-up terminal may still have to comply if they or their payment processor adheres to any kind of PCI-DSS standards. According to The PCI Security Standards Council they still have to comply, even if it is only a self evaluation. In fact, the type of PCI model of "standalone dial-up terminal merchants, no cardholder data storage" falls is in the middle (3 out of 5) of the SAQ (Self-Assessment Questionnaire) Validation Types, and should use SAQ B.

    Since the PCI Security Standards Council was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc., there is a good chance that they will agree to meet these standards if they sign up with a payment processor.

    See the PCI Quick Reference Guide, page 28; and the PCI SSC New Self-Assessment Questionnaire (SAQ) Summary page.
    Thorn
    Stop the TSA now! Boycott the airlines.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •