Why Connecting to a VPS via Remote Desktop Violates the PCI DSS

If you connect to a “cloud” VPS using Remote Desktop without TLS or SSL and you swipe (or type) credit card numbers from your computer ‘up’ to software running on your VPS, your business is in violation of the PCI DSS [PDF].

The PCI DSS Guide states the following:

PCI DSS 4.1
Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks.

Examples of open, public networks that are in scope of the PCI DSS include but are not limited to:

• The Internet
• Wireless technologies
• Global System for Mobile communications (GSM)
• General Packet Radio Service (GPRS)

In a configuration where your credit card swipe is connected to your PC and your credit card software (e.g. X-Charge) is on your PC, the cardholder data goes from the swipe, into X-Charge, and then X-Charge transmits data over SSL.

In a VPS configuration, X-Charge is no longer installed on your computer – no software is installed on your computer.  Instead, you connect to your VPS over an open, public network (i.e. the Internet) via Remote Desktop.  X-Charge is running on the VPS “up there,” away from your computer.  When you swipe the card, it goes through the swipe and out across the public Internet.  Remote Desktop does not utilize SSL.  Your system administrator must install and configure Secure RDS, configure SSL, etc.

These are facts and the reason we share this sort of information, is because store owners are ultimately the ones who are held accountable for PCI DSS Compliance.  It’s common sense and best-practice NOT to swipe credit cards across RDP.  If best-practice isn’t enough, then the PCI DSS should be.