- They run active directory on a windows (XP Pro) network with around 30 computers.
- The wireless network was all WEP, restricted to just a few employees use.
- All machines were locked down to give users as little access as possible.
- The one computer I reviewed had virus protection that had signatures 3+ months old.
- They use the WEP wireless network to send credit card information on a daily basis from one of the outlying massage centers to the main office.
- They are storing all credit cards for the last 10 years in a password protected MS Access database that is on the network as well as in their the registration system.
Now, I'm not a hands-on expert at network security. But I suggested that they stop storing so many (30,000+) credit cards for so long. It seemed foolish due to what I guessed was lax security and storage. Certainly far from PCI compliance.
So what do I do, call the PCI police? This resort is near and dear to my heart but after taking me away from my vacation to help them review their systems, seek my advice, ignore it, and continue to store my info, what is a AppSec geek to do?