After all that...
I battled with my credit card processor regarding PCI some type of testing they require every quarter to make sure no one can hack into our system and steal credit card data streams (we don't store card numbers)
The process to become compliant takes days with the processor and my IT guy. If you don't, they fine you $250/yr and I get the liability if there is a breech (seems pretty silly for a small company like mine).
During this process, they decided the VPN tunnel I've had for years and discussed here was a huge liability! So I had to ditch it in favor of an RDP whatever that is (not the acronym but the mechanics of it).
The RDP seems a bit faster and easier to connect.
However to protect the laptop while at an airport or hotel I have to RDP into my server and surf on the server desktop.
I'd be interested in your input on this development.
RDP is “remote desktop protocol,“ and they can’t be saying they want you to connect via RDP without having a VPN to encrypt the data flow.
We have a hardware-based VPN in order to get access to the network, then run work on an RDP session, connecting through the VPN.
The banks have simply figured out a way to make “security” a revenue stream. The “security” companies they hire to audit merchants, love them.
What they’re saying, is that they trust your office machine more than they trust your laptop that wanders networks.
As far as the RDP solution goes, it’s probably using the built in Microsoft encryption PLUS RDP. The RDP part is just Remote Desktop control of the office machine. It’s really the built in encryption of the RDP service that’s providing essentially the same security as a VPN for data in transit.
However, a full VPN opens up your entire office network to whatever nasties the laptop got when done wrong (no network isolation / limitations on what the laptop can access) and the RDP (if configured correctly) doesn’t.
Of course RDP also has file sharing and other things built in that have to be disabled for this to all apply.
PCI is a joke. But it’s the game we all have to play to process credit cards. Banks themselves don’t even implement it. They just require it of others. The internal practices of most banks would curl your toes. But they get to do as they please because they’re the ones eating the loss, ostensibly.
The super short version of the above is:
“Your laptop now connects only to a Remote Desktop session securely instead of connecting to your entire office network. We like that more.”
We did this differently. The accounting dept is completely isolated from the entire rest of the company. They bought software that processes their card transactions on a separate server from their main accounting server via secured tunnel between the two. Being on their network doesn’t give them any access at all to their server other than through the client software. They have no access to the database or anything else on that server. If they ask that server to process a payment it contacts the other server to do it. That second server lives at AWS and is completely separated from the other AWS resources also.
This meant they can have VPN access from whatever they want. They’re three completely blocked layers away from the card processor. Their VPN auth knows they work in accounting and still limits them to their little fully quarantined network. Even their file sharing and printers and WiFi VLAN are theirs.
I can think of ten ways to hack it. But it makes their PCI merchant auditor happy.
We have other things in place that add more security that their auditor doesn’t even care about. Even the admins can’t join their VLAN without all the senior admins knowing about it.
