Why Connecting to a VPS via Remote Desktop Violates the PCI DSS

If you connect to a “cloud” VPS using Remote Desktop without TLS or SSL and you swipe (or type) credit card numbers from your computer ‘up’ to software running on your VPS, your business is in violation of the PCI DSS [PDF].

The PCI DSS Guide states the following:

PCI DSS 4.1
Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks.

Examples of open, public networks that are in scope of the PCI DSS include but are not limited to:

  • The Internet
  • Wireless technologies
  • Global System for Mobile communications (GSM)
  • General Packet Radio Service (GPRS)

In a configuration where your credit card swipe is connected to your PC and your credit card software (e.g. X-Charge) is on your PC, the cardholder data goes from the swipe, into X-Charge, and then X-Charge transmits data over SSL.

In a VPS configuration, X-Charge is no longer installed on your computer – no software is installed on your computer.  Instead, you connect to your VPS over an open, public network (i.e. the Internet) via Remote Desktop.  X-Charge is running on the VPS “up there,” away from your computer.  When you swipe the card, it goes through the swipe and out across the public Internet.  Remote Desktop does not utilize SSL.  Your system administrator must install and configure Secure RDS, configure SSL, etc.

These are facts and the reason we share this sort of information, is because store owners are ultimately the ones who are held accountable for PCI DSS Compliance.  It’s common sense and best-practice NOT to swipe credit cards across RDP.  If best-practice isn’t enough, then the PCI DSS should be.

I am a Software Developer, System Administrator, and consignment software specialist. I currently manage hundreds of consignment workstations, point of sale systems, and database servers all across North America and I am the developer of Peeps' Software, Peeps2Go, and Peeps' Consignor Login for iOS and Android. I've been helping consignment & resale store-owners since 2003. I started The Computer Peeps in February of 2010. Peeps' Software launched in 2016 and is now on hundreds of systems all across North America. I have successfully converted dozens of stores from all of the major consignment software systems. After 20 years of working with consignment stores, I understand the unique challenges consignment & resale store-owners face. From electrical issues in old buildings or strip malls, to advocating for them when their old consignment software keeps crashing.

Leave a Comment

Your email address will not be published. Required fields are marked *

*
*

Back To Top