Being told my “network” isn't PCI compliant. I don't even have a server! Do I have to comply?New credit card security standards regarding PA-DSS CompliancePCI Compliant Key Management solutions that don't cost a fortuneIf PCI DSS isn't a law, how can I be prosecuted for not being compliant?PCI-DSS compliance for business with only swipe terminalsPCI-DSS Scope with tokenisationPCI Compliance ProblemClarification on being PCI compliantDoes PCI compliance require a DRP even if we don't store card data?PCI-SAQ A-EP compliance for website developer?Which self assessment questionairre should I use for PCI DSS compliance

Feedback diagram

δόλος = deceit in John 1:47

Can Otiluke's Freezing Spheres be stockpiled?

When did J.K. Rowling decide to make Ron and Hermione a couple?

Is Norway in the Single Market?

Reasons for using monsters as bioweapons

Is this popular optical illusion made of a grey-scale image with coloured lines?

How to avoid a lengthy conversation with someone from the neighborhood I don't share interests with

speaker impedence

How does Rust's 128-bit integer `i128` work on a 64-bit system?

Is it moral to remove/hide certain parts of a photo, as a photographer?

Why did the United States not resort to nuclear weapons in Vietnam?

What do the screens say after you are set free?

Why have both: BJT and FET transistors on IC output?

Who's behind community AMIs on Amazon EC2?

"Fewer errors means better products" or "Fewer errors mean better products"?

Can I shorten this filter, that finds disk sizes over 100G?

Declaring a visitor to the UK as my "girlfriend" - effect on getting a Visitor visa?

Define tcolorbox in math mode

How is Sword Coast North governed?

What's the term for a group of people who enjoy literary works?

How to power down external drive safely

What sort of solar system / atmospheric conditions, if any, would allow for a very cold planet that still receives plenty of light from its sun?

How long should I wait to plug in my refrigerator after unplugging it?



Being told my “network” isn't PCI compliant. I don't even have a server! Do I have to comply?


New credit card security standards regarding PA-DSS CompliancePCI Compliant Key Management solutions that don't cost a fortuneIf PCI DSS isn't a law, how can I be prosecuted for not being compliant?PCI-DSS compliance for business with only swipe terminalsPCI-DSS Scope with tokenisationPCI Compliance ProblemClarification on being PCI compliantDoes PCI compliance require a DRP even if we don't store card data?PCI-SAQ A-EP compliance for website developer?Which self assessment questionairre should I use for PCI DSS compliance






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








77















We are a brick and mortar company... literally. We are brick masons. At our office we connect to the internet through our cable modem provided to us by Spectrum Business.



Our Treasurer uses a Verifone vx520 card reader to process credit card payments. It connects via ethernet. We don't store credit card data.



We got a vulnerability report stating that we were not PCI compliant.



They scanned our cable modem.



Part 2b-1. 38173 - SSL Certificate - Signature Verification Failed Vulnerability
Part 2b-6. 38628 - SSL/TLS Server supports TLSv1.0
Part 2b-7. 38601 - SSL/TLS use of weak RC4(Arcfour) cipher (CVE-2013-2566, CVE-2015-2808)


I don't understand what they mean. We don't have a server or an online store or anything. I was told they scanned our network and this is what they found. They told us to get with ISP to fix issue.



How is the ISP supposed to get an SSL certificate installed on a cable modem? I did call our ISP and he didn't know what to tell me.



We just use the card reader and it connects to our payment processor.



Am I supposed to do something here? Is any of this applicable to us?










share|improve this question









New contributor



user3512967 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 3





    Have you tried putting your public IP address into your web browser's address bar to see if it will connect to anything? Try with both "http://1.1.1.1" and "https://1.1.1.1" (note the S in the second URL).

    – Ghedipunk
    2 days ago







  • 4





    Also, since you are running credit cards that are physically located at your office, you do need to secure your network to be PCI compliant. This will probably just be configuring a firewall on your modem/router, though I'm putting off making an answer to this question depending on what you'd see from trying to bring up your IP address in your browser.

    – Ghedipunk
    2 days ago






  • 20





    @user3512967 that cert and user prompt is almost certainly to log in and control the modem itself. It really shouldn't be exposed to the Internet at large.

    – gowenfawr
    2 days ago






  • 9





    "Also, since you are running credit cards that are physically located at your office, you do need to secure your network to be PCI compliant." That depends on the card terminal, the good terminal providers works hard to keep the stores network out-of-scope for PCI.

    – Mattias
    yesterday







  • 20





    From whom did you get this report? Were they trying to sell you something to fix it?

    – Kevin
    yesterday

















77















We are a brick and mortar company... literally. We are brick masons. At our office we connect to the internet through our cable modem provided to us by Spectrum Business.



Our Treasurer uses a Verifone vx520 card reader to process credit card payments. It connects via ethernet. We don't store credit card data.



We got a vulnerability report stating that we were not PCI compliant.



They scanned our cable modem.



Part 2b-1. 38173 - SSL Certificate - Signature Verification Failed Vulnerability
Part 2b-6. 38628 - SSL/TLS Server supports TLSv1.0
Part 2b-7. 38601 - SSL/TLS use of weak RC4(Arcfour) cipher (CVE-2013-2566, CVE-2015-2808)


I don't understand what they mean. We don't have a server or an online store or anything. I was told they scanned our network and this is what they found. They told us to get with ISP to fix issue.



How is the ISP supposed to get an SSL certificate installed on a cable modem? I did call our ISP and he didn't know what to tell me.



We just use the card reader and it connects to our payment processor.



Am I supposed to do something here? Is any of this applicable to us?










share|improve this question









New contributor



user3512967 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 3





    Have you tried putting your public IP address into your web browser's address bar to see if it will connect to anything? Try with both "http://1.1.1.1" and "https://1.1.1.1" (note the S in the second URL).

    – Ghedipunk
    2 days ago







  • 4





    Also, since you are running credit cards that are physically located at your office, you do need to secure your network to be PCI compliant. This will probably just be configuring a firewall on your modem/router, though I'm putting off making an answer to this question depending on what you'd see from trying to bring up your IP address in your browser.

    – Ghedipunk
    2 days ago






  • 20





    @user3512967 that cert and user prompt is almost certainly to log in and control the modem itself. It really shouldn't be exposed to the Internet at large.

    – gowenfawr
    2 days ago






  • 9





    "Also, since you are running credit cards that are physically located at your office, you do need to secure your network to be PCI compliant." That depends on the card terminal, the good terminal providers works hard to keep the stores network out-of-scope for PCI.

    – Mattias
    yesterday







  • 20





    From whom did you get this report? Were they trying to sell you something to fix it?

    – Kevin
    yesterday













77












77








77


8






We are a brick and mortar company... literally. We are brick masons. At our office we connect to the internet through our cable modem provided to us by Spectrum Business.



Our Treasurer uses a Verifone vx520 card reader to process credit card payments. It connects via ethernet. We don't store credit card data.



We got a vulnerability report stating that we were not PCI compliant.



They scanned our cable modem.



Part 2b-1. 38173 - SSL Certificate - Signature Verification Failed Vulnerability
Part 2b-6. 38628 - SSL/TLS Server supports TLSv1.0
Part 2b-7. 38601 - SSL/TLS use of weak RC4(Arcfour) cipher (CVE-2013-2566, CVE-2015-2808)


I don't understand what they mean. We don't have a server or an online store or anything. I was told they scanned our network and this is what they found. They told us to get with ISP to fix issue.



How is the ISP supposed to get an SSL certificate installed on a cable modem? I did call our ISP and he didn't know what to tell me.



We just use the card reader and it connects to our payment processor.



Am I supposed to do something here? Is any of this applicable to us?










share|improve this question









New contributor



user3512967 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











We are a brick and mortar company... literally. We are brick masons. At our office we connect to the internet through our cable modem provided to us by Spectrum Business.



Our Treasurer uses a Verifone vx520 card reader to process credit card payments. It connects via ethernet. We don't store credit card data.



We got a vulnerability report stating that we were not PCI compliant.



They scanned our cable modem.



Part 2b-1. 38173 - SSL Certificate - Signature Verification Failed Vulnerability
Part 2b-6. 38628 - SSL/TLS Server supports TLSv1.0
Part 2b-7. 38601 - SSL/TLS use of weak RC4(Arcfour) cipher (CVE-2013-2566, CVE-2015-2808)


I don't understand what they mean. We don't have a server or an online store or anything. I was told they scanned our network and this is what they found. They told us to get with ISP to fix issue.



How is the ISP supposed to get an SSL certificate installed on a cable modem? I did call our ISP and he didn't know what to tell me.



We just use the card reader and it connects to our payment processor.



Am I supposed to do something here? Is any of this applicable to us?







pci-dss






share|improve this question









New contributor



user3512967 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.










share|improve this question









New contributor



user3512967 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








share|improve this question




share|improve this question








edited 8 mins ago









John Deters

29.6k3 gold badges45 silver badges98 bronze badges




29.6k3 gold badges45 silver badges98 bronze badges






New contributor



user3512967 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








asked 2 days ago









user3512967user3512967

3982 silver badges6 bronze badges




3982 silver badges6 bronze badges




New contributor



user3512967 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




New contributor




user3512967 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • 3





    Have you tried putting your public IP address into your web browser's address bar to see if it will connect to anything? Try with both "http://1.1.1.1" and "https://1.1.1.1" (note the S in the second URL).

    – Ghedipunk
    2 days ago







  • 4





    Also, since you are running credit cards that are physically located at your office, you do need to secure your network to be PCI compliant. This will probably just be configuring a firewall on your modem/router, though I'm putting off making an answer to this question depending on what you'd see from trying to bring up your IP address in your browser.

    – Ghedipunk
    2 days ago






  • 20





    @user3512967 that cert and user prompt is almost certainly to log in and control the modem itself. It really shouldn't be exposed to the Internet at large.

    – gowenfawr
    2 days ago






  • 9





    "Also, since you are running credit cards that are physically located at your office, you do need to secure your network to be PCI compliant." That depends on the card terminal, the good terminal providers works hard to keep the stores network out-of-scope for PCI.

    – Mattias
    yesterday







  • 20





    From whom did you get this report? Were they trying to sell you something to fix it?

    – Kevin
    yesterday












  • 3





    Have you tried putting your public IP address into your web browser's address bar to see if it will connect to anything? Try with both "http://1.1.1.1" and "https://1.1.1.1" (note the S in the second URL).

    – Ghedipunk
    2 days ago







  • 4





    Also, since you are running credit cards that are physically located at your office, you do need to secure your network to be PCI compliant. This will probably just be configuring a firewall on your modem/router, though I'm putting off making an answer to this question depending on what you'd see from trying to bring up your IP address in your browser.

    – Ghedipunk
    2 days ago






  • 20





    @user3512967 that cert and user prompt is almost certainly to log in and control the modem itself. It really shouldn't be exposed to the Internet at large.

    – gowenfawr
    2 days ago






  • 9





    "Also, since you are running credit cards that are physically located at your office, you do need to secure your network to be PCI compliant." That depends on the card terminal, the good terminal providers works hard to keep the stores network out-of-scope for PCI.

    – Mattias
    yesterday







  • 20





    From whom did you get this report? Were they trying to sell you something to fix it?

    – Kevin
    yesterday







3




3





Have you tried putting your public IP address into your web browser's address bar to see if it will connect to anything? Try with both "http://1.1.1.1" and "https://1.1.1.1" (note the S in the second URL).

– Ghedipunk
2 days ago






Have you tried putting your public IP address into your web browser's address bar to see if it will connect to anything? Try with both "http://1.1.1.1" and "https://1.1.1.1" (note the S in the second URL).

– Ghedipunk
2 days ago





4




4





Also, since you are running credit cards that are physically located at your office, you do need to secure your network to be PCI compliant. This will probably just be configuring a firewall on your modem/router, though I'm putting off making an answer to this question depending on what you'd see from trying to bring up your IP address in your browser.

– Ghedipunk
2 days ago





Also, since you are running credit cards that are physically located at your office, you do need to secure your network to be PCI compliant. This will probably just be configuring a firewall on your modem/router, though I'm putting off making an answer to this question depending on what you'd see from trying to bring up your IP address in your browser.

– Ghedipunk
2 days ago




20




20





@user3512967 that cert and user prompt is almost certainly to log in and control the modem itself. It really shouldn't be exposed to the Internet at large.

– gowenfawr
2 days ago





@user3512967 that cert and user prompt is almost certainly to log in and control the modem itself. It really shouldn't be exposed to the Internet at large.

– gowenfawr
2 days ago




9




9





"Also, since you are running credit cards that are physically located at your office, you do need to secure your network to be PCI compliant." That depends on the card terminal, the good terminal providers works hard to keep the stores network out-of-scope for PCI.

– Mattias
yesterday






"Also, since you are running credit cards that are physically located at your office, you do need to secure your network to be PCI compliant." That depends on the card terminal, the good terminal providers works hard to keep the stores network out-of-scope for PCI.

– Mattias
yesterday





20




20





From whom did you get this report? Were they trying to sell you something to fix it?

– Kevin
yesterday





From whom did you get this report? Were they trying to sell you something to fix it?

– Kevin
yesterday










5 Answers
5






active

oldest

votes


















76















At our office with connect to the internet through our cable modem
provided to us by Spectrum Business.



Our Treasurer uses a verifone vx520 card reader to process credit card
payments. It connects via ethernet. We don't store credit card data.




It sounds like you fall under SAQ B-IP (and you will be amused that the mnemonic is that "SAQ B-for-Brick-and-Mortar"):




SAQ B-IP has been developed to address requirements applicable to
merchants who process cardholder data only via standalone,
PTS-approved point-of-interaction (POI) devices with an IP connection
to the payment processor




It sounds like someone did an external ASV ("Approved Scanning Vendor") scan on your known IP address and found the cable modem was, unsurprisingly, not up to snuff.




Am I suppose to do something here? Is any of this applicable to us?




Yes, this is applicable to you, and many other things besides, all of which are outlined in the Self Assessment Questionnaire linked above. And if your other office systems - desktops, printers, whatever - are also sitting on the same network behind that cable modem, then the requirements of the SAQ apply to those as well. Things like patching and access controls.



For now, you will need to continue to work with your ISP. They either need to update the modem, upgrade it, or get it to stop accepting connections from the Internet at large.




To break down those error messages for you:



Part 2b-1. 38173 - SSL Certificate - Signature Verification Failed Vulnerability


There's likely a self-signed certificate on that device, common for things like cable modems that need TLS but don't care about being trusted by random users. (PCI cares, though, even when users don't).



Part 2b-6. 38628 - SSL/TLS Server supports TLSv1.0 


When you go to a secure web site today, it's usually TLSv1.2 or TLSv1.1. TLSv1.0 is old, relatively insecure, and PCI declared it unacceptable to use a few years ago.



Part 2b-7. 38601 - SSL/TLS use of weak RC4(Arcfour) cipher (CVE-2013-2566, CVE-2015-2808)


TLS gets to pick from multiple algorithms; over time, weaknesses are found and individual algorithms get retired because of it. RC4 got retired a few years ago.






share|improve this answer






















  • 3





    If the verifone and processor were P2PE-certified, would that remove the whole store network from scope? I’m not very familiar with B, but my impression is that if the device is encrypting everything then there is no “card data environment”, so presumably most questions wouldn’t apply. But I have no idea if that’s how it actually works for a location like this.

    – Bobson
    2 days ago






  • 2





    @Bobson I don't think so; see Q4 of the P2PE FAQ. But IANAQSA!

    – gowenfawr
    2 days ago






  • 38





    RC4 may have been officially retired only a few years ago, but it was discovered to be broken literally hours after it was published in public, in the 90s. It's only through incompetence that it was used for so long.

    – forest
    yesterday







  • 9





    RC4 should be called "poor man's plaintext"

    – Hagen von Eitzen
    yesterday






  • 3





    @Bobson you would have to do SAQ-P2PE instead, which has far fewer requirements than B-IP (and doesn't have the ASV scan, or really anything related to your network).

    – rbsec
    yesterday



















26














Since you are physically handling cards, and sending that card data across a network to your card processor, you do need to secure your network. Besides just being compliant in order to get auditors off your case, if someone sneaks a program into your network, it might be able to eavesdrop on the rest of the network and steal that card data.



Based on your question and comments, some computer in your network has a web server that is publicly responding to requests.



It is most likely the cable modem/router itself, and the web server is part of a remote management console -- It allows you or your ISP to change settings without needing to be inside of the network. It also allows anyone else in the world to change settings, as well, though.



The error message that you're getting is saying SSL/TLS Server supports TLSv1.0, (among a couple other errors) which means that the web server is using security settings that are several years old. This is what your card processor is complaining about -- That web server is just too old and there are several known vulnerabilities.



However, your most critical problem is that there is a remote management console that is available to the public. People can guess the login information at their leisure and gain access to your internal network. When you turn off remote management in your modem, your card processor should be able to scan your network and won't be able to see anything at all, and you'll be back in PCI compliance (assuming that you were in compliance before).






share|improve this answer

























  • "it might be able to eavesdrop on the rest of the network and steal that card data" - card processing isn't my thing, but I assumed they would be robust to that threat.

    – Flexo
    52 mins ago


















10














In the big picture, the problem is that internet-connected devices face a lot of security threats. The other answers give good tips to address the specific issues that were detected this time.



On the other hand, if you'd prefer to stay out of that whole mess, you could downgrade to a standalone payment terminal that uses an analog phone line and doesn't touch the internet. It may not avoid all possible security problems, especially in the long term, but for now it will move you back from SAQ B-IP to SAQ B:




SAQ B: "...Standalone, dial-out terminals..."



SAQ B-IP: "...standalone...terminals with an IP connection..."




The advantages of moving to a dial-out terminal using an analog phone line are:



  • It takes your modem and other internet-connected devices out of the picture

  • You're less likely to be affected by new PCI security requirements

  • You're less likely to be affected by some future internet-based credit card security breach

The disadvantages are:



  • It might not be supported by your current payment processor (ask them)

  • It requires a regular analog phone line, not VOIP or anything like that


EDIT: After reading Harper's answer recommending P2PE, I now think it's a bad idea for any regular brick-and-mortar business to try to address its own SAQ B-IP issues as suggested by other answers. Trying to keep up with SAQ B-IP is simply too risky. A regular brick-and-mortar business should only use solutions under SAQ B (dial-out terminals) or SAQ P2PE-HW:




SAQ P2PE-HW: "...terminals...managed by a validated, PCI SSC-listed P2PE solution..."







share|improve this answer






















  • 4





    Disadvantage three: unless you add a phone line just for that, you’ll have customers standing around waiting (or leaving in a huff) while you’re phone line is busy doing something else. (I once waited many minutes for a card transaction while someone else was trying to decide what to do at an ATM dialing out on the store’s only line!)

    – WGroleau
    yesterday












  • @WGroleau the vendor would probably have to get a phone line (a physical wire) installed for him if he want to use an analog phone for dial-up these days. In some places it might not even be available. I doubt he will have trouble with a blocked phone line. Of course YMMV depending on your country and province.

    – Mindwin
    yesterday











  • Indeed. My incident was less than three years ago.

    – WGroleau
    yesterday






  • 2





    Where I'm from a lot of shops use mobile (GSM/3G/4G) payment terminals connected directly to the internet. In such cases I assume the vendor/manufacturer is responsible for PCI compliance. You do need to pay for a data plan for the sim card though.

    – slebetman
    23 hours ago











  • Saying "Trying to keep up with SAQ B-IP is simply too risky" is like saying "PCI compliance is too hard for merchants to meet and maintain." I'm not saying either statement is wrong, mind you, but let's be aware we're surrendering when we do it.

    – gowenfawr
    6 hours ago


















8














TLDR: that card reader stinks, and exposes you to all sorts of liability. Get a modern card terminal with P2PE.



You need to comply with PCI... unless...



PCI-DSS is serious business. Most small businesses do not have a breach. But if you do have a breach (which would most likely be crackers surveilling your credit card transactions for an extended period of time), you'll need to pay extremely painful penalties that have a (the figure I've heard is 90%) chance of bankrupting your small business.



What is in scope for PCI is



  • your card terminal

  • the network it's on

  • every PC, wait, device that can access that network

    • including IoT: security cameras, Sense power monitor, and every silly WiFi-enabled gadget you bought on a lark and forgot all about


  • every network that can access that network, and

  • every PC, er, device on those networks.

... unless you avoid the entire issue with P2PE



If the data going through your app, PC, phone or network is all encrypted with strong encryption, then PCI-DSS doesn't apply to it. This is a very useful escape!



When Square came out with the first card reader for proprietorship sized businesses, it was a simple magnetic tape head. Obviously, the Square app handled card data "in the clear". That placed the app, phone/tablet, network etc. in scope for PCI-DSS.



PayPal Here put an encryption processor inside the scanner fob itself. The fob itself talks to PayPal servers, via Point to Point Encryption (P2PE, or as we call it, a "secure VPN"). The PayPal app simply relays the encrypted data, and it cannot know what it says (and neither can anyone else). If everything checks out, PayPal servers tell the PayPal app "approved".



Because the app, phone and network see only encrypted data, that does not place them in scope of PCI-DSS. All you have to do is make sure your fob has not been physically tampered with.



Consequences of a breach



  • A PCI audit, upfront, even if you are proved to be innocent

  • The fraudulent transactions themselves, if you are guilty

  • The cost of reissuing credit cards to all the customers

  • Penalties

I've heard statistics that a breach and the consequences about 90% of affected small businesses into bankruptcy. It nearly did in Target, after all!



Needless to say, P2PE is not only a smart way to go, it's the only way to go, in my book.



Why isn't every acquirer supporting P2PE and even making you use it? Because the industry kinda sucks that way, and a rapid switch-over will break a lot of larger businesses that do things with credit card data (think: Home Depot's ability to find your receipts and do returns based solely on your credit card number). They took over 10 years to adopt chip, and they'll probably take another 10 to adopt P2PE. This is one reason I do not like the traditional acquirer model. That, and their prices.






share|improve this answer

























  • This seems to be the simplest solution --- many card readers are simply just that (i.e., "readers!"), not necessarily doing any "encryption" on their end either!

    – ManRow
    3 hours ago


















0














If user3512967's modem is like mine, then hardening the web interface's TLS settings is pointless.
My Cisco EPC3212 has an interface that is accessible from within the LAN via HTTP only. It has login credentials that can be googled and cannot be changed. Even if it were served via TLS (weak or strong), my network would not be more secure. Public knowledge cannot be undisclosed.



So my question is: Does user3512967's modem's interface offer restriction-worthy control or confidential information that is not accessible via public knowledge? If it does not, then fixing it's TLS does not solve anything.






share|improve this answer








New contributor



Damian is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "162"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );






    user3512967 is a new contributor. Be nice, and check out our Code of Conduct.









    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f214513%2fbeing-told-my-network-isnt-pci-compliant-i-dont-even-have-a-server-do-i-ha%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    5 Answers
    5






    active

    oldest

    votes








    5 Answers
    5






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    76















    At our office with connect to the internet through our cable modem
    provided to us by Spectrum Business.



    Our Treasurer uses a verifone vx520 card reader to process credit card
    payments. It connects via ethernet. We don't store credit card data.




    It sounds like you fall under SAQ B-IP (and you will be amused that the mnemonic is that "SAQ B-for-Brick-and-Mortar"):




    SAQ B-IP has been developed to address requirements applicable to
    merchants who process cardholder data only via standalone,
    PTS-approved point-of-interaction (POI) devices with an IP connection
    to the payment processor




    It sounds like someone did an external ASV ("Approved Scanning Vendor") scan on your known IP address and found the cable modem was, unsurprisingly, not up to snuff.




    Am I suppose to do something here? Is any of this applicable to us?




    Yes, this is applicable to you, and many other things besides, all of which are outlined in the Self Assessment Questionnaire linked above. And if your other office systems - desktops, printers, whatever - are also sitting on the same network behind that cable modem, then the requirements of the SAQ apply to those as well. Things like patching and access controls.



    For now, you will need to continue to work with your ISP. They either need to update the modem, upgrade it, or get it to stop accepting connections from the Internet at large.




    To break down those error messages for you:



    Part 2b-1. 38173 - SSL Certificate - Signature Verification Failed Vulnerability


    There's likely a self-signed certificate on that device, common for things like cable modems that need TLS but don't care about being trusted by random users. (PCI cares, though, even when users don't).



    Part 2b-6. 38628 - SSL/TLS Server supports TLSv1.0 


    When you go to a secure web site today, it's usually TLSv1.2 or TLSv1.1. TLSv1.0 is old, relatively insecure, and PCI declared it unacceptable to use a few years ago.



    Part 2b-7. 38601 - SSL/TLS use of weak RC4(Arcfour) cipher (CVE-2013-2566, CVE-2015-2808)


    TLS gets to pick from multiple algorithms; over time, weaknesses are found and individual algorithms get retired because of it. RC4 got retired a few years ago.






    share|improve this answer






















    • 3





      If the verifone and processor were P2PE-certified, would that remove the whole store network from scope? I’m not very familiar with B, but my impression is that if the device is encrypting everything then there is no “card data environment”, so presumably most questions wouldn’t apply. But I have no idea if that’s how it actually works for a location like this.

      – Bobson
      2 days ago






    • 2





      @Bobson I don't think so; see Q4 of the P2PE FAQ. But IANAQSA!

      – gowenfawr
      2 days ago






    • 38





      RC4 may have been officially retired only a few years ago, but it was discovered to be broken literally hours after it was published in public, in the 90s. It's only through incompetence that it was used for so long.

      – forest
      yesterday







    • 9





      RC4 should be called "poor man's plaintext"

      – Hagen von Eitzen
      yesterday






    • 3





      @Bobson you would have to do SAQ-P2PE instead, which has far fewer requirements than B-IP (and doesn't have the ASV scan, or really anything related to your network).

      – rbsec
      yesterday
















    76















    At our office with connect to the internet through our cable modem
    provided to us by Spectrum Business.



    Our Treasurer uses a verifone vx520 card reader to process credit card
    payments. It connects via ethernet. We don't store credit card data.




    It sounds like you fall under SAQ B-IP (and you will be amused that the mnemonic is that "SAQ B-for-Brick-and-Mortar"):




    SAQ B-IP has been developed to address requirements applicable to
    merchants who process cardholder data only via standalone,
    PTS-approved point-of-interaction (POI) devices with an IP connection
    to the payment processor




    It sounds like someone did an external ASV ("Approved Scanning Vendor") scan on your known IP address and found the cable modem was, unsurprisingly, not up to snuff.




    Am I suppose to do something here? Is any of this applicable to us?




    Yes, this is applicable to you, and many other things besides, all of which are outlined in the Self Assessment Questionnaire linked above. And if your other office systems - desktops, printers, whatever - are also sitting on the same network behind that cable modem, then the requirements of the SAQ apply to those as well. Things like patching and access controls.



    For now, you will need to continue to work with your ISP. They either need to update the modem, upgrade it, or get it to stop accepting connections from the Internet at large.




    To break down those error messages for you:



    Part 2b-1. 38173 - SSL Certificate - Signature Verification Failed Vulnerability


    There's likely a self-signed certificate on that device, common for things like cable modems that need TLS but don't care about being trusted by random users. (PCI cares, though, even when users don't).



    Part 2b-6. 38628 - SSL/TLS Server supports TLSv1.0 


    When you go to a secure web site today, it's usually TLSv1.2 or TLSv1.1. TLSv1.0 is old, relatively insecure, and PCI declared it unacceptable to use a few years ago.



    Part 2b-7. 38601 - SSL/TLS use of weak RC4(Arcfour) cipher (CVE-2013-2566, CVE-2015-2808)


    TLS gets to pick from multiple algorithms; over time, weaknesses are found and individual algorithms get retired because of it. RC4 got retired a few years ago.






    share|improve this answer






















    • 3





      If the verifone and processor were P2PE-certified, would that remove the whole store network from scope? I’m not very familiar with B, but my impression is that if the device is encrypting everything then there is no “card data environment”, so presumably most questions wouldn’t apply. But I have no idea if that’s how it actually works for a location like this.

      – Bobson
      2 days ago






    • 2





      @Bobson I don't think so; see Q4 of the P2PE FAQ. But IANAQSA!

      – gowenfawr
      2 days ago






    • 38





      RC4 may have been officially retired only a few years ago, but it was discovered to be broken literally hours after it was published in public, in the 90s. It's only through incompetence that it was used for so long.

      – forest
      yesterday







    • 9





      RC4 should be called "poor man's plaintext"

      – Hagen von Eitzen
      yesterday






    • 3





      @Bobson you would have to do SAQ-P2PE instead, which has far fewer requirements than B-IP (and doesn't have the ASV scan, or really anything related to your network).

      – rbsec
      yesterday














    76












    76








    76








    At our office with connect to the internet through our cable modem
    provided to us by Spectrum Business.



    Our Treasurer uses a verifone vx520 card reader to process credit card
    payments. It connects via ethernet. We don't store credit card data.




    It sounds like you fall under SAQ B-IP (and you will be amused that the mnemonic is that "SAQ B-for-Brick-and-Mortar"):




    SAQ B-IP has been developed to address requirements applicable to
    merchants who process cardholder data only via standalone,
    PTS-approved point-of-interaction (POI) devices with an IP connection
    to the payment processor




    It sounds like someone did an external ASV ("Approved Scanning Vendor") scan on your known IP address and found the cable modem was, unsurprisingly, not up to snuff.




    Am I suppose to do something here? Is any of this applicable to us?




    Yes, this is applicable to you, and many other things besides, all of which are outlined in the Self Assessment Questionnaire linked above. And if your other office systems - desktops, printers, whatever - are also sitting on the same network behind that cable modem, then the requirements of the SAQ apply to those as well. Things like patching and access controls.



    For now, you will need to continue to work with your ISP. They either need to update the modem, upgrade it, or get it to stop accepting connections from the Internet at large.




    To break down those error messages for you:



    Part 2b-1. 38173 - SSL Certificate - Signature Verification Failed Vulnerability


    There's likely a self-signed certificate on that device, common for things like cable modems that need TLS but don't care about being trusted by random users. (PCI cares, though, even when users don't).



    Part 2b-6. 38628 - SSL/TLS Server supports TLSv1.0 


    When you go to a secure web site today, it's usually TLSv1.2 or TLSv1.1. TLSv1.0 is old, relatively insecure, and PCI declared it unacceptable to use a few years ago.



    Part 2b-7. 38601 - SSL/TLS use of weak RC4(Arcfour) cipher (CVE-2013-2566, CVE-2015-2808)


    TLS gets to pick from multiple algorithms; over time, weaknesses are found and individual algorithms get retired because of it. RC4 got retired a few years ago.






    share|improve this answer
















    At our office with connect to the internet through our cable modem
    provided to us by Spectrum Business.



    Our Treasurer uses a verifone vx520 card reader to process credit card
    payments. It connects via ethernet. We don't store credit card data.




    It sounds like you fall under SAQ B-IP (and you will be amused that the mnemonic is that "SAQ B-for-Brick-and-Mortar"):




    SAQ B-IP has been developed to address requirements applicable to
    merchants who process cardholder data only via standalone,
    PTS-approved point-of-interaction (POI) devices with an IP connection
    to the payment processor




    It sounds like someone did an external ASV ("Approved Scanning Vendor") scan on your known IP address and found the cable modem was, unsurprisingly, not up to snuff.




    Am I suppose to do something here? Is any of this applicable to us?




    Yes, this is applicable to you, and many other things besides, all of which are outlined in the Self Assessment Questionnaire linked above. And if your other office systems - desktops, printers, whatever - are also sitting on the same network behind that cable modem, then the requirements of the SAQ apply to those as well. Things like patching and access controls.



    For now, you will need to continue to work with your ISP. They either need to update the modem, upgrade it, or get it to stop accepting connections from the Internet at large.




    To break down those error messages for you:



    Part 2b-1. 38173 - SSL Certificate - Signature Verification Failed Vulnerability


    There's likely a self-signed certificate on that device, common for things like cable modems that need TLS but don't care about being trusted by random users. (PCI cares, though, even when users don't).



    Part 2b-6. 38628 - SSL/TLS Server supports TLSv1.0 


    When you go to a secure web site today, it's usually TLSv1.2 or TLSv1.1. TLSv1.0 is old, relatively insecure, and PCI declared it unacceptable to use a few years ago.



    Part 2b-7. 38601 - SSL/TLS use of weak RC4(Arcfour) cipher (CVE-2013-2566, CVE-2015-2808)


    TLS gets to pick from multiple algorithms; over time, weaknesses are found and individual algorithms get retired because of it. RC4 got retired a few years ago.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited 2 days ago

























    answered 2 days ago









    gowenfawrgowenfawr

    56.7k11 gold badges124 silver badges168 bronze badges




    56.7k11 gold badges124 silver badges168 bronze badges










    • 3





      If the verifone and processor were P2PE-certified, would that remove the whole store network from scope? I’m not very familiar with B, but my impression is that if the device is encrypting everything then there is no “card data environment”, so presumably most questions wouldn’t apply. But I have no idea if that’s how it actually works for a location like this.

      – Bobson
      2 days ago






    • 2





      @Bobson I don't think so; see Q4 of the P2PE FAQ. But IANAQSA!

      – gowenfawr
      2 days ago






    • 38





      RC4 may have been officially retired only a few years ago, but it was discovered to be broken literally hours after it was published in public, in the 90s. It's only through incompetence that it was used for so long.

      – forest
      yesterday







    • 9





      RC4 should be called "poor man's plaintext"

      – Hagen von Eitzen
      yesterday






    • 3





      @Bobson you would have to do SAQ-P2PE instead, which has far fewer requirements than B-IP (and doesn't have the ASV scan, or really anything related to your network).

      – rbsec
      yesterday













    • 3





      If the verifone and processor were P2PE-certified, would that remove the whole store network from scope? I’m not very familiar with B, but my impression is that if the device is encrypting everything then there is no “card data environment”, so presumably most questions wouldn’t apply. But I have no idea if that’s how it actually works for a location like this.

      – Bobson
      2 days ago






    • 2





      @Bobson I don't think so; see Q4 of the P2PE FAQ. But IANAQSA!

      – gowenfawr
      2 days ago






    • 38





      RC4 may have been officially retired only a few years ago, but it was discovered to be broken literally hours after it was published in public, in the 90s. It's only through incompetence that it was used for so long.

      – forest
      yesterday







    • 9





      RC4 should be called "poor man's plaintext"

      – Hagen von Eitzen
      yesterday






    • 3





      @Bobson you would have to do SAQ-P2PE instead, which has far fewer requirements than B-IP (and doesn't have the ASV scan, or really anything related to your network).

      – rbsec
      yesterday








    3




    3





    If the verifone and processor were P2PE-certified, would that remove the whole store network from scope? I’m not very familiar with B, but my impression is that if the device is encrypting everything then there is no “card data environment”, so presumably most questions wouldn’t apply. But I have no idea if that’s how it actually works for a location like this.

    – Bobson
    2 days ago





    If the verifone and processor were P2PE-certified, would that remove the whole store network from scope? I’m not very familiar with B, but my impression is that if the device is encrypting everything then there is no “card data environment”, so presumably most questions wouldn’t apply. But I have no idea if that’s how it actually works for a location like this.

    – Bobson
    2 days ago




    2




    2





    @Bobson I don't think so; see Q4 of the P2PE FAQ. But IANAQSA!

    – gowenfawr
    2 days ago





    @Bobson I don't think so; see Q4 of the P2PE FAQ. But IANAQSA!

    – gowenfawr
    2 days ago




    38




    38





    RC4 may have been officially retired only a few years ago, but it was discovered to be broken literally hours after it was published in public, in the 90s. It's only through incompetence that it was used for so long.

    – forest
    yesterday






    RC4 may have been officially retired only a few years ago, but it was discovered to be broken literally hours after it was published in public, in the 90s. It's only through incompetence that it was used for so long.

    – forest
    yesterday





    9




    9





    RC4 should be called "poor man's plaintext"

    – Hagen von Eitzen
    yesterday





    RC4 should be called "poor man's plaintext"

    – Hagen von Eitzen
    yesterday




    3




    3





    @Bobson you would have to do SAQ-P2PE instead, which has far fewer requirements than B-IP (and doesn't have the ASV scan, or really anything related to your network).

    – rbsec
    yesterday






    @Bobson you would have to do SAQ-P2PE instead, which has far fewer requirements than B-IP (and doesn't have the ASV scan, or really anything related to your network).

    – rbsec
    yesterday














    26














    Since you are physically handling cards, and sending that card data across a network to your card processor, you do need to secure your network. Besides just being compliant in order to get auditors off your case, if someone sneaks a program into your network, it might be able to eavesdrop on the rest of the network and steal that card data.



    Based on your question and comments, some computer in your network has a web server that is publicly responding to requests.



    It is most likely the cable modem/router itself, and the web server is part of a remote management console -- It allows you or your ISP to change settings without needing to be inside of the network. It also allows anyone else in the world to change settings, as well, though.



    The error message that you're getting is saying SSL/TLS Server supports TLSv1.0, (among a couple other errors) which means that the web server is using security settings that are several years old. This is what your card processor is complaining about -- That web server is just too old and there are several known vulnerabilities.



    However, your most critical problem is that there is a remote management console that is available to the public. People can guess the login information at their leisure and gain access to your internal network. When you turn off remote management in your modem, your card processor should be able to scan your network and won't be able to see anything at all, and you'll be back in PCI compliance (assuming that you were in compliance before).






    share|improve this answer

























    • "it might be able to eavesdrop on the rest of the network and steal that card data" - card processing isn't my thing, but I assumed they would be robust to that threat.

      – Flexo
      52 mins ago















    26














    Since you are physically handling cards, and sending that card data across a network to your card processor, you do need to secure your network. Besides just being compliant in order to get auditors off your case, if someone sneaks a program into your network, it might be able to eavesdrop on the rest of the network and steal that card data.



    Based on your question and comments, some computer in your network has a web server that is publicly responding to requests.



    It is most likely the cable modem/router itself, and the web server is part of a remote management console -- It allows you or your ISP to change settings without needing to be inside of the network. It also allows anyone else in the world to change settings, as well, though.



    The error message that you're getting is saying SSL/TLS Server supports TLSv1.0, (among a couple other errors) which means that the web server is using security settings that are several years old. This is what your card processor is complaining about -- That web server is just too old and there are several known vulnerabilities.



    However, your most critical problem is that there is a remote management console that is available to the public. People can guess the login information at their leisure and gain access to your internal network. When you turn off remote management in your modem, your card processor should be able to scan your network and won't be able to see anything at all, and you'll be back in PCI compliance (assuming that you were in compliance before).






    share|improve this answer

























    • "it might be able to eavesdrop on the rest of the network and steal that card data" - card processing isn't my thing, but I assumed they would be robust to that threat.

      – Flexo
      52 mins ago













    26












    26








    26







    Since you are physically handling cards, and sending that card data across a network to your card processor, you do need to secure your network. Besides just being compliant in order to get auditors off your case, if someone sneaks a program into your network, it might be able to eavesdrop on the rest of the network and steal that card data.



    Based on your question and comments, some computer in your network has a web server that is publicly responding to requests.



    It is most likely the cable modem/router itself, and the web server is part of a remote management console -- It allows you or your ISP to change settings without needing to be inside of the network. It also allows anyone else in the world to change settings, as well, though.



    The error message that you're getting is saying SSL/TLS Server supports TLSv1.0, (among a couple other errors) which means that the web server is using security settings that are several years old. This is what your card processor is complaining about -- That web server is just too old and there are several known vulnerabilities.



    However, your most critical problem is that there is a remote management console that is available to the public. People can guess the login information at their leisure and gain access to your internal network. When you turn off remote management in your modem, your card processor should be able to scan your network and won't be able to see anything at all, and you'll be back in PCI compliance (assuming that you were in compliance before).






    share|improve this answer













    Since you are physically handling cards, and sending that card data across a network to your card processor, you do need to secure your network. Besides just being compliant in order to get auditors off your case, if someone sneaks a program into your network, it might be able to eavesdrop on the rest of the network and steal that card data.



    Based on your question and comments, some computer in your network has a web server that is publicly responding to requests.



    It is most likely the cable modem/router itself, and the web server is part of a remote management console -- It allows you or your ISP to change settings without needing to be inside of the network. It also allows anyone else in the world to change settings, as well, though.



    The error message that you're getting is saying SSL/TLS Server supports TLSv1.0, (among a couple other errors) which means that the web server is using security settings that are several years old. This is what your card processor is complaining about -- That web server is just too old and there are several known vulnerabilities.



    However, your most critical problem is that there is a remote management console that is available to the public. People can guess the login information at their leisure and gain access to your internal network. When you turn off remote management in your modem, your card processor should be able to scan your network and won't be able to see anything at all, and you'll be back in PCI compliance (assuming that you were in compliance before).







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered 2 days ago









    GhedipunkGhedipunk

    3,7351 gold badge15 silver badges25 bronze badges




    3,7351 gold badge15 silver badges25 bronze badges















    • "it might be able to eavesdrop on the rest of the network and steal that card data" - card processing isn't my thing, but I assumed they would be robust to that threat.

      – Flexo
      52 mins ago

















    • "it might be able to eavesdrop on the rest of the network and steal that card data" - card processing isn't my thing, but I assumed they would be robust to that threat.

      – Flexo
      52 mins ago
















    "it might be able to eavesdrop on the rest of the network and steal that card data" - card processing isn't my thing, but I assumed they would be robust to that threat.

    – Flexo
    52 mins ago





    "it might be able to eavesdrop on the rest of the network and steal that card data" - card processing isn't my thing, but I assumed they would be robust to that threat.

    – Flexo
    52 mins ago











    10














    In the big picture, the problem is that internet-connected devices face a lot of security threats. The other answers give good tips to address the specific issues that were detected this time.



    On the other hand, if you'd prefer to stay out of that whole mess, you could downgrade to a standalone payment terminal that uses an analog phone line and doesn't touch the internet. It may not avoid all possible security problems, especially in the long term, but for now it will move you back from SAQ B-IP to SAQ B:




    SAQ B: "...Standalone, dial-out terminals..."



    SAQ B-IP: "...standalone...terminals with an IP connection..."




    The advantages of moving to a dial-out terminal using an analog phone line are:



    • It takes your modem and other internet-connected devices out of the picture

    • You're less likely to be affected by new PCI security requirements

    • You're less likely to be affected by some future internet-based credit card security breach

    The disadvantages are:



    • It might not be supported by your current payment processor (ask them)

    • It requires a regular analog phone line, not VOIP or anything like that


    EDIT: After reading Harper's answer recommending P2PE, I now think it's a bad idea for any regular brick-and-mortar business to try to address its own SAQ B-IP issues as suggested by other answers. Trying to keep up with SAQ B-IP is simply too risky. A regular brick-and-mortar business should only use solutions under SAQ B (dial-out terminals) or SAQ P2PE-HW:




    SAQ P2PE-HW: "...terminals...managed by a validated, PCI SSC-listed P2PE solution..."







    share|improve this answer






















    • 4





      Disadvantage three: unless you add a phone line just for that, you’ll have customers standing around waiting (or leaving in a huff) while you’re phone line is busy doing something else. (I once waited many minutes for a card transaction while someone else was trying to decide what to do at an ATM dialing out on the store’s only line!)

      – WGroleau
      yesterday












    • @WGroleau the vendor would probably have to get a phone line (a physical wire) installed for him if he want to use an analog phone for dial-up these days. In some places it might not even be available. I doubt he will have trouble with a blocked phone line. Of course YMMV depending on your country and province.

      – Mindwin
      yesterday











    • Indeed. My incident was less than three years ago.

      – WGroleau
      yesterday






    • 2





      Where I'm from a lot of shops use mobile (GSM/3G/4G) payment terminals connected directly to the internet. In such cases I assume the vendor/manufacturer is responsible for PCI compliance. You do need to pay for a data plan for the sim card though.

      – slebetman
      23 hours ago











    • Saying "Trying to keep up with SAQ B-IP is simply too risky" is like saying "PCI compliance is too hard for merchants to meet and maintain." I'm not saying either statement is wrong, mind you, but let's be aware we're surrendering when we do it.

      – gowenfawr
      6 hours ago















    10














    In the big picture, the problem is that internet-connected devices face a lot of security threats. The other answers give good tips to address the specific issues that were detected this time.



    On the other hand, if you'd prefer to stay out of that whole mess, you could downgrade to a standalone payment terminal that uses an analog phone line and doesn't touch the internet. It may not avoid all possible security problems, especially in the long term, but for now it will move you back from SAQ B-IP to SAQ B:




    SAQ B: "...Standalone, dial-out terminals..."



    SAQ B-IP: "...standalone...terminals with an IP connection..."




    The advantages of moving to a dial-out terminal using an analog phone line are:



    • It takes your modem and other internet-connected devices out of the picture

    • You're less likely to be affected by new PCI security requirements

    • You're less likely to be affected by some future internet-based credit card security breach

    The disadvantages are:



    • It might not be supported by your current payment processor (ask them)

    • It requires a regular analog phone line, not VOIP or anything like that


    EDIT: After reading Harper's answer recommending P2PE, I now think it's a bad idea for any regular brick-and-mortar business to try to address its own SAQ B-IP issues as suggested by other answers. Trying to keep up with SAQ B-IP is simply too risky. A regular brick-and-mortar business should only use solutions under SAQ B (dial-out terminals) or SAQ P2PE-HW:




    SAQ P2PE-HW: "...terminals...managed by a validated, PCI SSC-listed P2PE solution..."







    share|improve this answer






















    • 4





      Disadvantage three: unless you add a phone line just for that, you’ll have customers standing around waiting (or leaving in a huff) while you’re phone line is busy doing something else. (I once waited many minutes for a card transaction while someone else was trying to decide what to do at an ATM dialing out on the store’s only line!)

      – WGroleau
      yesterday












    • @WGroleau the vendor would probably have to get a phone line (a physical wire) installed for him if he want to use an analog phone for dial-up these days. In some places it might not even be available. I doubt he will have trouble with a blocked phone line. Of course YMMV depending on your country and province.

      – Mindwin
      yesterday











    • Indeed. My incident was less than three years ago.

      – WGroleau
      yesterday






    • 2





      Where I'm from a lot of shops use mobile (GSM/3G/4G) payment terminals connected directly to the internet. In such cases I assume the vendor/manufacturer is responsible for PCI compliance. You do need to pay for a data plan for the sim card though.

      – slebetman
      23 hours ago











    • Saying "Trying to keep up with SAQ B-IP is simply too risky" is like saying "PCI compliance is too hard for merchants to meet and maintain." I'm not saying either statement is wrong, mind you, but let's be aware we're surrendering when we do it.

      – gowenfawr
      6 hours ago













    10












    10








    10







    In the big picture, the problem is that internet-connected devices face a lot of security threats. The other answers give good tips to address the specific issues that were detected this time.



    On the other hand, if you'd prefer to stay out of that whole mess, you could downgrade to a standalone payment terminal that uses an analog phone line and doesn't touch the internet. It may not avoid all possible security problems, especially in the long term, but for now it will move you back from SAQ B-IP to SAQ B:




    SAQ B: "...Standalone, dial-out terminals..."



    SAQ B-IP: "...standalone...terminals with an IP connection..."




    The advantages of moving to a dial-out terminal using an analog phone line are:



    • It takes your modem and other internet-connected devices out of the picture

    • You're less likely to be affected by new PCI security requirements

    • You're less likely to be affected by some future internet-based credit card security breach

    The disadvantages are:



    • It might not be supported by your current payment processor (ask them)

    • It requires a regular analog phone line, not VOIP or anything like that


    EDIT: After reading Harper's answer recommending P2PE, I now think it's a bad idea for any regular brick-and-mortar business to try to address its own SAQ B-IP issues as suggested by other answers. Trying to keep up with SAQ B-IP is simply too risky. A regular brick-and-mortar business should only use solutions under SAQ B (dial-out terminals) or SAQ P2PE-HW:




    SAQ P2PE-HW: "...terminals...managed by a validated, PCI SSC-listed P2PE solution..."







    share|improve this answer















    In the big picture, the problem is that internet-connected devices face a lot of security threats. The other answers give good tips to address the specific issues that were detected this time.



    On the other hand, if you'd prefer to stay out of that whole mess, you could downgrade to a standalone payment terminal that uses an analog phone line and doesn't touch the internet. It may not avoid all possible security problems, especially in the long term, but for now it will move you back from SAQ B-IP to SAQ B:




    SAQ B: "...Standalone, dial-out terminals..."



    SAQ B-IP: "...standalone...terminals with an IP connection..."




    The advantages of moving to a dial-out terminal using an analog phone line are:



    • It takes your modem and other internet-connected devices out of the picture

    • You're less likely to be affected by new PCI security requirements

    • You're less likely to be affected by some future internet-based credit card security breach

    The disadvantages are:



    • It might not be supported by your current payment processor (ask them)

    • It requires a regular analog phone line, not VOIP or anything like that


    EDIT: After reading Harper's answer recommending P2PE, I now think it's a bad idea for any regular brick-and-mortar business to try to address its own SAQ B-IP issues as suggested by other answers. Trying to keep up with SAQ B-IP is simply too risky. A regular brick-and-mortar business should only use solutions under SAQ B (dial-out terminals) or SAQ P2PE-HW:




    SAQ P2PE-HW: "...terminals...managed by a validated, PCI SSC-listed P2PE solution..."








    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited yesterday

























    answered yesterday









    KruboKrubo

    4894 silver badges8 bronze badges




    4894 silver badges8 bronze badges










    • 4





      Disadvantage three: unless you add a phone line just for that, you’ll have customers standing around waiting (or leaving in a huff) while you’re phone line is busy doing something else. (I once waited many minutes for a card transaction while someone else was trying to decide what to do at an ATM dialing out on the store’s only line!)

      – WGroleau
      yesterday












    • @WGroleau the vendor would probably have to get a phone line (a physical wire) installed for him if he want to use an analog phone for dial-up these days. In some places it might not even be available. I doubt he will have trouble with a blocked phone line. Of course YMMV depending on your country and province.

      – Mindwin
      yesterday











    • Indeed. My incident was less than three years ago.

      – WGroleau
      yesterday






    • 2





      Where I'm from a lot of shops use mobile (GSM/3G/4G) payment terminals connected directly to the internet. In such cases I assume the vendor/manufacturer is responsible for PCI compliance. You do need to pay for a data plan for the sim card though.

      – slebetman
      23 hours ago











    • Saying "Trying to keep up with SAQ B-IP is simply too risky" is like saying "PCI compliance is too hard for merchants to meet and maintain." I'm not saying either statement is wrong, mind you, but let's be aware we're surrendering when we do it.

      – gowenfawr
      6 hours ago












    • 4





      Disadvantage three: unless you add a phone line just for that, you’ll have customers standing around waiting (or leaving in a huff) while you’re phone line is busy doing something else. (I once waited many minutes for a card transaction while someone else was trying to decide what to do at an ATM dialing out on the store’s only line!)

      – WGroleau
      yesterday












    • @WGroleau the vendor would probably have to get a phone line (a physical wire) installed for him if he want to use an analog phone for dial-up these days. In some places it might not even be available. I doubt he will have trouble with a blocked phone line. Of course YMMV depending on your country and province.

      – Mindwin
      yesterday











    • Indeed. My incident was less than three years ago.

      – WGroleau
      yesterday






    • 2





      Where I'm from a lot of shops use mobile (GSM/3G/4G) payment terminals connected directly to the internet. In such cases I assume the vendor/manufacturer is responsible for PCI compliance. You do need to pay for a data plan for the sim card though.

      – slebetman
      23 hours ago











    • Saying "Trying to keep up with SAQ B-IP is simply too risky" is like saying "PCI compliance is too hard for merchants to meet and maintain." I'm not saying either statement is wrong, mind you, but let's be aware we're surrendering when we do it.

      – gowenfawr
      6 hours ago







    4




    4





    Disadvantage three: unless you add a phone line just for that, you’ll have customers standing around waiting (or leaving in a huff) while you’re phone line is busy doing something else. (I once waited many minutes for a card transaction while someone else was trying to decide what to do at an ATM dialing out on the store’s only line!)

    – WGroleau
    yesterday






    Disadvantage three: unless you add a phone line just for that, you’ll have customers standing around waiting (or leaving in a huff) while you’re phone line is busy doing something else. (I once waited many minutes for a card transaction while someone else was trying to decide what to do at an ATM dialing out on the store’s only line!)

    – WGroleau
    yesterday














    @WGroleau the vendor would probably have to get a phone line (a physical wire) installed for him if he want to use an analog phone for dial-up these days. In some places it might not even be available. I doubt he will have trouble with a blocked phone line. Of course YMMV depending on your country and province.

    – Mindwin
    yesterday





    @WGroleau the vendor would probably have to get a phone line (a physical wire) installed for him if he want to use an analog phone for dial-up these days. In some places it might not even be available. I doubt he will have trouble with a blocked phone line. Of course YMMV depending on your country and province.

    – Mindwin
    yesterday













    Indeed. My incident was less than three years ago.

    – WGroleau
    yesterday





    Indeed. My incident was less than three years ago.

    – WGroleau
    yesterday




    2




    2





    Where I'm from a lot of shops use mobile (GSM/3G/4G) payment terminals connected directly to the internet. In such cases I assume the vendor/manufacturer is responsible for PCI compliance. You do need to pay for a data plan for the sim card though.

    – slebetman
    23 hours ago





    Where I'm from a lot of shops use mobile (GSM/3G/4G) payment terminals connected directly to the internet. In such cases I assume the vendor/manufacturer is responsible for PCI compliance. You do need to pay for a data plan for the sim card though.

    – slebetman
    23 hours ago













    Saying "Trying to keep up with SAQ B-IP is simply too risky" is like saying "PCI compliance is too hard for merchants to meet and maintain." I'm not saying either statement is wrong, mind you, but let's be aware we're surrendering when we do it.

    – gowenfawr
    6 hours ago





    Saying "Trying to keep up with SAQ B-IP is simply too risky" is like saying "PCI compliance is too hard for merchants to meet and maintain." I'm not saying either statement is wrong, mind you, but let's be aware we're surrendering when we do it.

    – gowenfawr
    6 hours ago











    8














    TLDR: that card reader stinks, and exposes you to all sorts of liability. Get a modern card terminal with P2PE.



    You need to comply with PCI... unless...



    PCI-DSS is serious business. Most small businesses do not have a breach. But if you do have a breach (which would most likely be crackers surveilling your credit card transactions for an extended period of time), you'll need to pay extremely painful penalties that have a (the figure I've heard is 90%) chance of bankrupting your small business.



    What is in scope for PCI is



    • your card terminal

    • the network it's on

    • every PC, wait, device that can access that network

      • including IoT: security cameras, Sense power monitor, and every silly WiFi-enabled gadget you bought on a lark and forgot all about


    • every network that can access that network, and

    • every PC, er, device on those networks.

    ... unless you avoid the entire issue with P2PE



    If the data going through your app, PC, phone or network is all encrypted with strong encryption, then PCI-DSS doesn't apply to it. This is a very useful escape!



    When Square came out with the first card reader for proprietorship sized businesses, it was a simple magnetic tape head. Obviously, the Square app handled card data "in the clear". That placed the app, phone/tablet, network etc. in scope for PCI-DSS.



    PayPal Here put an encryption processor inside the scanner fob itself. The fob itself talks to PayPal servers, via Point to Point Encryption (P2PE, or as we call it, a "secure VPN"). The PayPal app simply relays the encrypted data, and it cannot know what it says (and neither can anyone else). If everything checks out, PayPal servers tell the PayPal app "approved".



    Because the app, phone and network see only encrypted data, that does not place them in scope of PCI-DSS. All you have to do is make sure your fob has not been physically tampered with.



    Consequences of a breach



    • A PCI audit, upfront, even if you are proved to be innocent

    • The fraudulent transactions themselves, if you are guilty

    • The cost of reissuing credit cards to all the customers

    • Penalties

    I've heard statistics that a breach and the consequences about 90% of affected small businesses into bankruptcy. It nearly did in Target, after all!



    Needless to say, P2PE is not only a smart way to go, it's the only way to go, in my book.



    Why isn't every acquirer supporting P2PE and even making you use it? Because the industry kinda sucks that way, and a rapid switch-over will break a lot of larger businesses that do things with credit card data (think: Home Depot's ability to find your receipts and do returns based solely on your credit card number). They took over 10 years to adopt chip, and they'll probably take another 10 to adopt P2PE. This is one reason I do not like the traditional acquirer model. That, and their prices.






    share|improve this answer

























    • This seems to be the simplest solution --- many card readers are simply just that (i.e., "readers!"), not necessarily doing any "encryption" on their end either!

      – ManRow
      3 hours ago















    8














    TLDR: that card reader stinks, and exposes you to all sorts of liability. Get a modern card terminal with P2PE.



    You need to comply with PCI... unless...



    PCI-DSS is serious business. Most small businesses do not have a breach. But if you do have a breach (which would most likely be crackers surveilling your credit card transactions for an extended period of time), you'll need to pay extremely painful penalties that have a (the figure I've heard is 90%) chance of bankrupting your small business.



    What is in scope for PCI is



    • your card terminal

    • the network it's on

    • every PC, wait, device that can access that network

      • including IoT: security cameras, Sense power monitor, and every silly WiFi-enabled gadget you bought on a lark and forgot all about


    • every network that can access that network, and

    • every PC, er, device on those networks.

    ... unless you avoid the entire issue with P2PE



    If the data going through your app, PC, phone or network is all encrypted with strong encryption, then PCI-DSS doesn't apply to it. This is a very useful escape!



    When Square came out with the first card reader for proprietorship sized businesses, it was a simple magnetic tape head. Obviously, the Square app handled card data "in the clear". That placed the app, phone/tablet, network etc. in scope for PCI-DSS.



    PayPal Here put an encryption processor inside the scanner fob itself. The fob itself talks to PayPal servers, via Point to Point Encryption (P2PE, or as we call it, a "secure VPN"). The PayPal app simply relays the encrypted data, and it cannot know what it says (and neither can anyone else). If everything checks out, PayPal servers tell the PayPal app "approved".



    Because the app, phone and network see only encrypted data, that does not place them in scope of PCI-DSS. All you have to do is make sure your fob has not been physically tampered with.



    Consequences of a breach



    • A PCI audit, upfront, even if you are proved to be innocent

    • The fraudulent transactions themselves, if you are guilty

    • The cost of reissuing credit cards to all the customers

    • Penalties

    I've heard statistics that a breach and the consequences about 90% of affected small businesses into bankruptcy. It nearly did in Target, after all!



    Needless to say, P2PE is not only a smart way to go, it's the only way to go, in my book.



    Why isn't every acquirer supporting P2PE and even making you use it? Because the industry kinda sucks that way, and a rapid switch-over will break a lot of larger businesses that do things with credit card data (think: Home Depot's ability to find your receipts and do returns based solely on your credit card number). They took over 10 years to adopt chip, and they'll probably take another 10 to adopt P2PE. This is one reason I do not like the traditional acquirer model. That, and their prices.






    share|improve this answer

























    • This seems to be the simplest solution --- many card readers are simply just that (i.e., "readers!"), not necessarily doing any "encryption" on their end either!

      – ManRow
      3 hours ago













    8












    8








    8







    TLDR: that card reader stinks, and exposes you to all sorts of liability. Get a modern card terminal with P2PE.



    You need to comply with PCI... unless...



    PCI-DSS is serious business. Most small businesses do not have a breach. But if you do have a breach (which would most likely be crackers surveilling your credit card transactions for an extended period of time), you'll need to pay extremely painful penalties that have a (the figure I've heard is 90%) chance of bankrupting your small business.



    What is in scope for PCI is



    • your card terminal

    • the network it's on

    • every PC, wait, device that can access that network

      • including IoT: security cameras, Sense power monitor, and every silly WiFi-enabled gadget you bought on a lark and forgot all about


    • every network that can access that network, and

    • every PC, er, device on those networks.

    ... unless you avoid the entire issue with P2PE



    If the data going through your app, PC, phone or network is all encrypted with strong encryption, then PCI-DSS doesn't apply to it. This is a very useful escape!



    When Square came out with the first card reader for proprietorship sized businesses, it was a simple magnetic tape head. Obviously, the Square app handled card data "in the clear". That placed the app, phone/tablet, network etc. in scope for PCI-DSS.



    PayPal Here put an encryption processor inside the scanner fob itself. The fob itself talks to PayPal servers, via Point to Point Encryption (P2PE, or as we call it, a "secure VPN"). The PayPal app simply relays the encrypted data, and it cannot know what it says (and neither can anyone else). If everything checks out, PayPal servers tell the PayPal app "approved".



    Because the app, phone and network see only encrypted data, that does not place them in scope of PCI-DSS. All you have to do is make sure your fob has not been physically tampered with.



    Consequences of a breach



    • A PCI audit, upfront, even if you are proved to be innocent

    • The fraudulent transactions themselves, if you are guilty

    • The cost of reissuing credit cards to all the customers

    • Penalties

    I've heard statistics that a breach and the consequences about 90% of affected small businesses into bankruptcy. It nearly did in Target, after all!



    Needless to say, P2PE is not only a smart way to go, it's the only way to go, in my book.



    Why isn't every acquirer supporting P2PE and even making you use it? Because the industry kinda sucks that way, and a rapid switch-over will break a lot of larger businesses that do things with credit card data (think: Home Depot's ability to find your receipts and do returns based solely on your credit card number). They took over 10 years to adopt chip, and they'll probably take another 10 to adopt P2PE. This is one reason I do not like the traditional acquirer model. That, and their prices.






    share|improve this answer













    TLDR: that card reader stinks, and exposes you to all sorts of liability. Get a modern card terminal with P2PE.



    You need to comply with PCI... unless...



    PCI-DSS is serious business. Most small businesses do not have a breach. But if you do have a breach (which would most likely be crackers surveilling your credit card transactions for an extended period of time), you'll need to pay extremely painful penalties that have a (the figure I've heard is 90%) chance of bankrupting your small business.



    What is in scope for PCI is



    • your card terminal

    • the network it's on

    • every PC, wait, device that can access that network

      • including IoT: security cameras, Sense power monitor, and every silly WiFi-enabled gadget you bought on a lark and forgot all about


    • every network that can access that network, and

    • every PC, er, device on those networks.

    ... unless you avoid the entire issue with P2PE



    If the data going through your app, PC, phone or network is all encrypted with strong encryption, then PCI-DSS doesn't apply to it. This is a very useful escape!



    When Square came out with the first card reader for proprietorship sized businesses, it was a simple magnetic tape head. Obviously, the Square app handled card data "in the clear". That placed the app, phone/tablet, network etc. in scope for PCI-DSS.



    PayPal Here put an encryption processor inside the scanner fob itself. The fob itself talks to PayPal servers, via Point to Point Encryption (P2PE, or as we call it, a "secure VPN"). The PayPal app simply relays the encrypted data, and it cannot know what it says (and neither can anyone else). If everything checks out, PayPal servers tell the PayPal app "approved".



    Because the app, phone and network see only encrypted data, that does not place them in scope of PCI-DSS. All you have to do is make sure your fob has not been physically tampered with.



    Consequences of a breach



    • A PCI audit, upfront, even if you are proved to be innocent

    • The fraudulent transactions themselves, if you are guilty

    • The cost of reissuing credit cards to all the customers

    • Penalties

    I've heard statistics that a breach and the consequences about 90% of affected small businesses into bankruptcy. It nearly did in Target, after all!



    Needless to say, P2PE is not only a smart way to go, it's the only way to go, in my book.



    Why isn't every acquirer supporting P2PE and even making you use it? Because the industry kinda sucks that way, and a rapid switch-over will break a lot of larger businesses that do things with credit card data (think: Home Depot's ability to find your receipts and do returns based solely on your credit card number). They took over 10 years to adopt chip, and they'll probably take another 10 to adopt P2PE. This is one reason I do not like the traditional acquirer model. That, and their prices.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered yesterday









    HarperHarper

    2,3305 silver badges14 bronze badges




    2,3305 silver badges14 bronze badges















    • This seems to be the simplest solution --- many card readers are simply just that (i.e., "readers!"), not necessarily doing any "encryption" on their end either!

      – ManRow
      3 hours ago

















    • This seems to be the simplest solution --- many card readers are simply just that (i.e., "readers!"), not necessarily doing any "encryption" on their end either!

      – ManRow
      3 hours ago
















    This seems to be the simplest solution --- many card readers are simply just that (i.e., "readers!"), not necessarily doing any "encryption" on their end either!

    – ManRow
    3 hours ago





    This seems to be the simplest solution --- many card readers are simply just that (i.e., "readers!"), not necessarily doing any "encryption" on their end either!

    – ManRow
    3 hours ago











    0














    If user3512967's modem is like mine, then hardening the web interface's TLS settings is pointless.
    My Cisco EPC3212 has an interface that is accessible from within the LAN via HTTP only. It has login credentials that can be googled and cannot be changed. Even if it were served via TLS (weak or strong), my network would not be more secure. Public knowledge cannot be undisclosed.



    So my question is: Does user3512967's modem's interface offer restriction-worthy control or confidential information that is not accessible via public knowledge? If it does not, then fixing it's TLS does not solve anything.






    share|improve this answer








    New contributor



    Damian is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.

























      0














      If user3512967's modem is like mine, then hardening the web interface's TLS settings is pointless.
      My Cisco EPC3212 has an interface that is accessible from within the LAN via HTTP only. It has login credentials that can be googled and cannot be changed. Even if it were served via TLS (weak or strong), my network would not be more secure. Public knowledge cannot be undisclosed.



      So my question is: Does user3512967's modem's interface offer restriction-worthy control or confidential information that is not accessible via public knowledge? If it does not, then fixing it's TLS does not solve anything.






      share|improve this answer








      New contributor



      Damian is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.























        0












        0








        0







        If user3512967's modem is like mine, then hardening the web interface's TLS settings is pointless.
        My Cisco EPC3212 has an interface that is accessible from within the LAN via HTTP only. It has login credentials that can be googled and cannot be changed. Even if it were served via TLS (weak or strong), my network would not be more secure. Public knowledge cannot be undisclosed.



        So my question is: Does user3512967's modem's interface offer restriction-worthy control or confidential information that is not accessible via public knowledge? If it does not, then fixing it's TLS does not solve anything.






        share|improve this answer








        New contributor



        Damian is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        If user3512967's modem is like mine, then hardening the web interface's TLS settings is pointless.
        My Cisco EPC3212 has an interface that is accessible from within the LAN via HTTP only. It has login credentials that can be googled and cannot be changed. Even if it were served via TLS (weak or strong), my network would not be more secure. Public knowledge cannot be undisclosed.



        So my question is: Does user3512967's modem's interface offer restriction-worthy control or confidential information that is not accessible via public knowledge? If it does not, then fixing it's TLS does not solve anything.







        share|improve this answer








        New contributor



        Damian is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.








        share|improve this answer



        share|improve this answer






        New contributor



        Damian is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.








        answered yesterday









        DamianDamian

        1




        1




        New contributor



        Damian is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.




        New contributor




        Damian is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.

























            user3512967 is a new contributor. Be nice, and check out our Code of Conduct.









            draft saved

            draft discarded


















            user3512967 is a new contributor. Be nice, and check out our Code of Conduct.












            user3512967 is a new contributor. Be nice, and check out our Code of Conduct.











            user3512967 is a new contributor. Be nice, and check out our Code of Conduct.














            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f214513%2fbeing-told-my-network-isnt-pci-compliant-i-dont-even-have-a-server-do-i-ha%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            19. јануар Садржај Догађаји Рођења Смрти Празници и дани сећања Види још Референце Мени за навигацијуу

            Israel Cuprins Etimologie | Istorie | Geografie | Politică | Demografie | Educație | Economie | Cultură | Note explicative | Note bibliografice | Bibliografie | Legături externe | Meniu de navigaresite web oficialfacebooktweeterGoogle+Instagramcanal YouTubeInstagramtextmodificaremodificarewww.technion.ac.ilnew.huji.ac.ilwww.weizmann.ac.ilwww1.biu.ac.ilenglish.tau.ac.ilwww.haifa.ac.ilin.bgu.ac.ilwww.openu.ac.ilwww.ariel.ac.ilCIA FactbookHarta Israelului"Negotiating Jerusalem," Palestine–Israel JournalThe Schizoid Nature of Modern Hebrew: A Slavic Language in Search of a Semitic Past„Arabic in Israel: an official language and a cultural bridge”„Latest Population Statistics for Israel”„Israel Population”„Tables”„Report for Selected Countries and Subjects”Human Development Report 2016: Human Development for Everyone„Distribution of family income - Gini index”The World FactbookJerusalem Law„Israel”„Israel”„Zionist Leaders: David Ben-Gurion 1886–1973”„The status of Jerusalem”„Analysis: Kadima's big plans”„Israel's Hard-Learned Lessons”„The Legacy of Undefined Borders, Tel Aviv Notes No. 40, 5 iunie 2002”„Israel Journal: A Land Without Borders”„Population”„Israel closes decade with population of 7.5 million”Time Series-DataBank„Selected Statistics on Jerusalem Day 2007 (Hebrew)”Golan belongs to Syria, Druze protestGlobal Survey 2006: Middle East Progress Amid Global Gains in FreedomWHO: Life expectancy in Israel among highest in the worldInternational Monetary Fund, World Economic Outlook Database, April 2011: Nominal GDP list of countries. Data for the year 2010.„Israel's accession to the OECD”Popular Opinion„On the Move”Hosea 12:5„Walking the Bible Timeline”„Palestine: History”„Return to Zion”An invention called 'the Jewish people' – Haaretz – Israel NewsoriginalJewish and Non-Jewish Population of Palestine-Israel (1517–2004)ImmigrationJewishvirtuallibrary.orgChapter One: The Heralders of Zionism„The birth of modern Israel: A scrap of paper that changed history”„League of Nations: The Mandate for Palestine, 24 iulie 1922”The Population of Palestine Prior to 1948originalBackground Paper No. 47 (ST/DPI/SER.A/47)History: Foreign DominationTwo Hundred and Seventh Plenary Meeting„Israel (Labor Zionism)”Population, by Religion and Population GroupThe Suez CrisisAdolf EichmannJustice Ministry Reply to Amnesty International Report„The Interregnum”Israel Ministry of Foreign Affairs – The Palestinian National Covenant- July 1968Research on terrorism: trends, achievements & failuresThe Routledge Atlas of the Arab–Israeli conflict: The Complete History of the Struggle and the Efforts to Resolve It"George Habash, Palestinian Terrorism Tactician, Dies at 82."„1973: Arab states attack Israeli forces”Agranat Commission„Has Israel Annexed East Jerusalem?”original„After 4 Years, Intifada Still Smolders”From the End of the Cold War to 2001originalThe Oslo Accords, 1993Israel-PLO Recognition – Exchange of Letters between PM Rabin and Chairman Arafat – Sept 9- 1993Foundation for Middle East PeaceSources of Population Growth: Total Israeli Population and Settler Population, 1991–2003original„Israel marks Rabin assassination”The Wye River Memorandumoriginal„West Bank barrier route disputed, Israeli missile kills 2”"Permanent Ceasefire to Be Based on Creation Of Buffer Zone Free of Armed Personnel Other than UN, Lebanese Forces"„Hezbollah kills 8 soldiers, kidnaps two in offensive on northern border”„Olmert confirms peace talks with Syria”„Battleground Gaza: Israeli ground forces invade the strip”„IDF begins Gaza troop withdrawal, hours after ending 3-week offensive”„THE LAND: Geography and Climate”„Area of districts, sub-districts, natural regions and lakes”„Israel - Geography”„Makhteshim Country”Israel and the Palestinian Territories„Makhtesh Ramon”„The Living Dead Sea”„Temperatures reach record high in Pakistan”„Climate Extremes In Israel”Israel in figures„Deuteronom”„JNF: 240 million trees planted since 1901”„Vegetation of Israel and Neighboring Countries”Environmental Law in Israel„Executive branch”„Israel's election process explained”„The Electoral System in Israel”„Constitution for Israel”„All 120 incoming Knesset members”„Statul ISRAEL”„The Judiciary: The Court System”„Israel's high court unique in region”„Israel and the International Criminal Court: A Legal Battlefield”„Localities and population, by population group, district, sub-district and natural region”„Israel: Districts, Major Cities, Urban Localities & Metropolitan Areas”„Israel-Egypt Relations: Background & Overview of Peace Treaty”„Solana to Haaretz: New Rules of War Needed for Age of Terror”„Israel's Announcement Regarding Settlements”„United Nations Security Council Resolution 497”„Security Council resolution 478 (1980) on the status of Jerusalem”„Arabs will ask U.N. to seek razing of Israeli wall”„Olmert: Willing to trade land for peace”„Mapping Peace between Syria and Israel”„Egypt: Israel must accept the land-for-peace formula”„Israel: Age structure from 2005 to 2015”„Global, regional, and national disability-adjusted life years (DALYs) for 306 diseases and injuries and healthy life expectancy (HALE) for 188 countries, 1990–2013: quantifying the epidemiological transition”10.1016/S0140-6736(15)61340-X„World Health Statistics 2014”„Life expectancy for Israeli men world's 4th highest”„Family Structure and Well-Being Across Israel's Diverse Population”„Fertility among Jewish and Muslim Women in Israel, by Level of Religiosity, 1979-2009”„Israel leaders in birth rate, but poverty major challenge”„Ethnic Groups”„Israel's population: Over 8.5 million”„Israel - Ethnic groups”„Jews, by country of origin and age”„Minority Communities in Israel: Background & Overview”„Israel”„Language in Israel”„Selected Data from the 2011 Social Survey on Mastery of the Hebrew Language and Usage of Languages”„Religions”„5 facts about Israeli Druze, a unique religious and ethnic group”„Israël”Israel Country Study Guide„Haredi city in Negev – blessing or curse?”„New town Harish harbors hopes of being more than another Pleasantville”„List of localities, in alphabetical order”„Muncitorii români, doriți în Israel”„Prietenia româno-israeliană la nevoie se cunoaște”„The Higher Education System in Israel”„Middle East”„Academic Ranking of World Universities 2016”„Israel”„Israel”„Jewish Nobel Prize Winners”„All Nobel Prizes in Literature”„All Nobel Peace Prizes”„All Prizes in Economic Sciences”„All Nobel Prizes in Chemistry”„List of Fields Medallists”„Sakharov Prize”„Țara care și-a sfidat "destinul" și se bate umăr la umăr cu Silicon Valley”„Apple's R&D center in Israel grew to about 800 employees”„Tim Cook: Apple's Herzliya R&D center second-largest in world”„Lecții de economie de la Israel”„Land use”Israel Investment and Business GuideA Country Study: IsraelCentral Bureau of StatisticsFlorin Diaconu, „Kadima: Flexibilitate și pragmatism, dar nici un compromis în chestiuni vitale", în Revista Institutului Diplomatic Român, anul I, numărul I, semestrul I, 2006, pp. 71-72Florin Diaconu, „Likud: Dreapta israeliană constant opusă retrocedării teritoriilor cureite prin luptă în 1967", în Revista Institutului Diplomatic Român, anul I, numărul I, semestrul I, 2006, pp. 73-74MassadaIsraelul a crescut in 50 de ani cât alte state intr-un mileniuIsrael Government PortalIsraelIsraelIsraelmmmmmXX451232cb118646298(data)4027808-634110000 0004 0372 0767n7900328503691455-bb46-37e3-91d2-cb064a35ffcc1003570400564274ge1294033523775214929302638955X146498911146498911

            Кастелфранко ди Сопра Становништво Референце Спољашње везе Мени за навигацију43°37′18″ СГШ; 11°33′32″ ИГД / 43.62156° СГШ; 11.55885° ИГД / 43.62156; 11.5588543°37′18″ СГШ; 11°33′32″ ИГД / 43.62156° СГШ; 11.55885° ИГД / 43.62156; 11.558853179688„The GeoNames geographical database”„Istituto Nazionale di Statistica”проширитиууWorldCat156923403n850174324558639-1cb14643287r(подаци)