phoneSWIPE is cool, so you get one.
Then you get this email from "PanopticSecurity" on behalf of "North American Bancard", telling you that you need to complete a PCI compliance questionnaire.
The very first page of the questionnaire asks you what kind of credit card processing system you're using. At the moment, phoneSWIPE is not even listed on the page. Anywhere.
So you take a stab at it, and end up going through a tedious and time-wasting questionnaire with loads of questions you're pretty sure don't even apply.
Finally at the end, PantopticSecurity helpfully tells you that you require quarterly external "network scans" which they can oh so helpfully do for just $60 a year. But if you did your homework before you joined phoneSWIPE, you knew that phoneSWIPE encrypts the cardholder data on the swiper and you shouldn't need network scans.
I had a frustrating time trying to complete the questionnaire, and a frustrating time with their text chat staff, who initially sent me down the wrong track.
What they told me in the end is that if you use phoneSWIPE on a cell phone running over 3g or 4g (i.e. not running via ADSL, cable internet, or some other wired or wireless shared internet connection), then at the very start of the process you need to say you have a dial-up credit card processing system. Dial-up. Yeah, like an Android 4.2 phone with a sophisticated phoneSWIPE audio port dongle with built-in encryption is dial-up. But that's what they told me.
They also told me that if you dare actually ever use your office wifi for credit card processing, you do have to go through the ridiculously long questionnaire with a zillion questions that seem entirely irrelevant and which ends with them absolutely insisting you must spend the $60 annually for external network monitoring. I suspect it's a rip-off, but I'll end my investigations here since at least I've determined that rip-off is inapplicable in my case.
Chat transcript, to shame Panoptic Security for making such a confusing system. (I'll give them points for a) the politeness of the text chat operator, even if they at least twice were clearly not paying attention to what I said; and b) for a few things in their questionnaire that make it clear they're trying to make it less onerous ------- but unfortunately they need to do a WHOLE LOT BETTER at least when it comes to phoneSWIPE customers.)
[Natasha] Hi, my name is Natasha on the PCI DSS Program Help Desk. How can I help you today?
[Me] This is an extremely confusing questionnaire. We have a phoneSWIPE device, but it is not in the list of options to choose from at the outset of the questionnaire.
[Me] So I tried to answer the questions as best I could, and now I'm being asked a gadzillion questions that I'm pretty sure are irrelevant.
[Natasha] is your phone swipe connected to your wifi or 4g network?
[Me] 3g Verizon network
[Me] For example, I've just come to this one : "Since your payment applications do handle sensitive authentication data, are processes in place to securely delete the data and to verify that the data is unrecoverable?" Um, no actually, I was told that the cardholder data is encrypted within the phoneSWIPE device, meaning that there is no way anything on my Android phone could ever decrypt it. It goes encrypted from the phoneSWIPE device over to the back-end processing systems. So why is this question assuming that my "payment applications DO handle sensitive authentication data"?
[Natasha] Is that the phone internet?
[Me] 3g Verizon network is the internet the phone uses, if that's what you're asking
[Me] We also have a wifi network that we leave off all the time, except that if Verizon coverage is not good enough, we turn it on just for the phone. There are no other devices on that wireless network.
[Me] It's extremely confusing trying to answer the questions in this questionnaire - they seem to presuppose a setup entirely different from our own.
[Natasha] As you use the Verizon you need to complete the questionnaire that has been assigned to you today. If you find the question difficult you can call our help desk we do have agents that are here to assist you with completing the process today
[Me] So when I come across questions that presuppose things that simply aren't true, am I supposed to just flip a coin which way I answer?
[Me] Also, is there any reason why phoneSWIPE wasn't listed on the very first screen, where you select the technology you're using? phoneSWIPE wants us to believe they're big and important - but their non-existence on that list implies YOU think they're basically irrelevant. Are they really that small a player? If so, I should probably ditch them. If not, then list them on the main page so people like me can have more confidence the questionnaire is appropriately tailored to our situation.
[Natasha] You can answer yes to them questions.
[Natasha] They are in the process of updating that onto the portal but as for at the moment if your phone swipe is connected to your wireless then you need to click on standard internet terminal and if it is not the you need to click on standard dial up terminal .
[Me] Thanks for your comments. I'll keep muddling through the questionnaire. Have a great day!
[Natasha] Your welcome, same to you.
(long time passes)
[Me] If you happen to still be there, I've gotten to the end of the process and it's told me I "need" a network scan, costing $60 a year. I believe this conclusion to be false.
[Natasha] If you are connected to the internet then yes you will need to run a scan of the yearly cost of $59.
[Me] If I understand it correctly, phoneSWIPE represented that since the cardholder data is encrypted on the swiper and only passes through the computing device encrypted, and is only able to be decrypted on the phoneSWIPE servers which do pass PCI compliance, that there is no way that cardholder data could be compromoised on the computing device (Android phone in this case).
[Me] Further, any IP address the phone is assigned by Verizon changes without notice.
[Natasha] I understand that but as you are connected to your wireless or wifi in the business we need to scan your router.
[Me] Hmmm, but again here I'm not convinced myPCI's questionnaire anticipates our environment. The wifi is OFF ALL OF THE TIME. We turn it on when our device needs internet access _and doesn't have Verizon coverage_. The thing is, we only do credit card swiping in locations we have Verizon coverage. So the wifi is NEVER on when processing credit cards.
[Me] Also, suppose we wanted this "service", what IP address are we supposed to put in the Panoptic sign-up form, given that the we have a dynamic IP address?
[Natasha] Which is why you need to run a scan, I understand it is only turned on when you need to process a payments but you still turn it on and use it in your business for when you process a payments. We can the firewall built within your router to make sure the firewall has no vulnerabilities in it. So we need to make sure no one can gain access to the card holder data from the net and no information can be leaked out.
[Me] You misread - it is NEVER turned on when we need to process a payment.
[Me] We only process payments in locations we have Verizon coverage, and in such cases we do not need wifi and our wifi is OFF.
[Natasha] Every internet has a public IP address. If you Google whatsmyip.org it will provide you with that information you require.
[Natasha] So you only use you phone internet not the business one?
[Me] For credit card processing, we NEVER use the wifi/broadband. We ALWAYS use the Verizon 3g.
[Me] (When we are selling goods & services we are out & about and in Verizon coverage areas.)
[Natasha] In the pre saq you need to click on standard dial up terminal and you will be assigned the correct questionnaire and no scan will be required form you.
[Me] So I just wasted half an hour after you told me "As you use the Verizon you need to complete the questionnaire that has been assigned to you today." I told you the questionnaire seemed inapplicable, and I told you that I use Verizon, and you told me that I had the right questionnaire. Now you tell me otherwise.
[Me] I'd also like to know how any phoneSWIPE user is supposed to figure out that their high-tech card reader plug-in for their Android cell phone is actually a "dial-up terminal". You tell me they're updating the front menu to make that more obvious. I hope they get that updated finished real soon, 'coz otherwise they're wasting a lot of time for a lot of people like me, who end up wasting a lot of time from people like you.
[Natasha] I am sorry you confused me by talking about your wifi in your business.
(Editors' note : I only mentioned wifi because the questionnaire was asking about it. I knew it was irrelevant!!!)
[Natasha] As we are not based in America I am not familiar with the networks
[Me] Ah - that makes sense.
[Me] ok, thanks for the pointer to SAQ B and hopefully it'll be smooth sailing from here!
[Natasha] I do apologies. It is a less complex questionnaire and you should have no problem with completing the process form here.
[Me] Done - thanks again & have a great day. Over & out.
Monday, October 14, 2013
Subscribe to:
Posts (Atom)