To:       NIS Flash Contacts (Financial)

            DASACC Financial Contacts

           

 

From: Paul Carlson

Date: 07/06/2007   12:29 PM

 

Subject:  Clarification from June 15^th’s Meeting

 

 

To:  State Agencies Accepting/Processing Credit Cards for payments

RE: Payment Card Industry Data Security Compliance (PCI)

 

FROM:  Michelle Raphael, AAP, CTP

                    Treasury Management Director

                    NE State Treasurer's Office

                    Phone 402-471-4146

 

Please read the below two questions and answers.  The questions were raised by agency staff at the June 15, 2007 PCI meeting.  First National Merchant Solutions (FNBO) contacted Visa on behalf of the State of Nebraska.   

 

Below is Visa's response from the questions from June 15th's meeting:

Question:  Regarding Section 2.2.1 - Please better define the meaning of "Web Servers"?

Based on PCI DSS definitions a server is defined as follows:

Server Computer that provides a service to other computers, such as processing communications, file storage, or accessing a printing facility. Servers include, but are not limited to web, database, authentication, DNS, mail, proxy, and NTP

Section 2.2.1 is really referencing the limitations to servers, as defined above, to the implementation of one role. This requirement eliminates the possibility of one server providing more than one server function. So a web server would be a server that was set up primarily to access the internet.

Question:  Section 6.6 - Please better define 'application-layer firewall'?  Is there a list of approved 'applications' available?

Based on PCI DSS definitions a firewall is defined as follows:

Firewall Hardware, software, or both that protect resources of one network from intruders from other networks. Typically, an enterprise with an intranet that permits workers access to the wider Internet must have a firewall to prevent outsiders from accessing internal private data resources

Based on PCI DSS definitions an application is defined as follows:

Application Includes all purchased and custom software programs or groups of programs designed for end users, including both internal and external (web) applications

Section 6.6 references web-facing applications and installation of an application layer firewall. This would mean that any application that is web-facing (provides access to the web) must have a firewall (as defined above) installed at this application level. As far as if there is a firewall recommended, the associations and PCI Co. do not advocate a certain system. However, there are the QSAs (Qualified Security Assessors) identified by the associations and PCI Co. that should be engaged to assist the merchant in determining the best applications and/or software for the individual merchant.