TLS Protocol Session Renegotiation Security Vulnerability

[cschumm]

Hello everyone - I am new to this forum.

I have an office network of around 7 computers, none a server, that is trying to install a credit card scanner.

The company who is installing the credit card scanner told us we failed their scan due to TLS Protocol Session Renegotiation Security Vulnerability.

We are using a CISCO RV042 Router, and beyond that it is a relative simple peer-to-peer network and secure we thought.

We do have a bridge (one way) going to another network so that our office staff can print to a large network printer on the other network. So it is one way out and no way in.

I have tried researching this and so far don't have a clue. I am not an expert by any stretch.

Any help please.

Thanks
Chuck

 

[RadiclDreamer]

Found this same issue on Ciscos forum, looks like there may not be a fix for this particular device, but then again this is a little bit of an older post, so maybe a new version of code has been released to fix

https://supportforums.cisco.com/thread/2208617

 

[Mushkins]

Like Radicl said, this sounds like a vulnerability in the router firmware. I'd check for firmware updates/iOS updates available that address this issue. Best bet would be to call Cisco support and ask them directly about this vulnerability and your device.

 

[seepy83]

I know this thread isn't specifically about PCI compliance, but I've found that the best way to implement Credit Card swipe machines at smaller offices is to get one that dials out through the phone line. Keep the thing off your data network. PCI compliance is not easy for a small office (and usually quite expensive), and using a telephone-based swipe machine is usually the best way to reduce scope and reduce the complexity of the PCI Self-Assessment Questionnaire that you need to fill out.

 

[Mushkins]

I know this thread isn't specifically about PCI compliance, but I've found that the best way to implement Credit Card swipe machines at smaller offices is to get one that dials out through the phone line. Keep the thing off your data network. PCI compliance is not easy for a small office (and usually quite expensive), and using a telephone-based swipe machine is usually the best way to reduce scope and reduce the complexity of the PCI Self-Assessment Questionnaire that you need to fill out.

makes me wonder how those little credit card scanners for smartphones are anywhere close to PCI compliant. Doesnt seem like much to sit outside somewhere using it and pluck card info right out of the air.

 

[RadiclDreamer]

I know this thread isn't specifically about PCI compliance, but I've found that the best way to implement Credit Card swipe machines at smaller offices is to get one that dials out through the phone line. Keep the thing off your data network. PCI compliance is not easy for a small office (and usually quite expensive), and using a telephone-based swipe machine is usually the best way to reduce scope and reduce the complexity of the PCI Self-Assessment Questionnaire that you need to fill out.

Im not sure if its still the case, but about 7-8 years ago our processor gave a decent discount for doing IP based CC auth, dialup was a more expensive option by far when you are looking at something like .25%-.50% per transaction more.

 

[cschumm]

Thanks everyone for your input.

Turns out our office has two networks, one public and one private.

Our office manager gave the Credit Card Co that ran the test the IP address for the Public network. Now that they know the correct IP address for the Private network they are going to rerun the test.

But so far my investigation is point to the Cisco Router.

I am now waiting on the results of the test on the correct (Private) network and will work from there.

Just want to say thanks to those who responded. It is appreciated.

Chuck