Why Connecting to a VPS via Remote Desktop Violates the PCI DSS

If you connect to a “cloud” VPS using Remote Desktop without TLS or SSL and you swipe (or type) credit card numbers from your computer ‘up’ to software running on your VPS, your business is in violation of the PCI DSS [PDF].

The PCI DSS Guide states the following:

Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks.

Examples of open, public networks that are in scope of the PCI DSS include but are not limited to:

  • The Internet
  • Wireless technologies
  • Global System for Mobile communications (GSM)
  • General Packet Radio Service (GPRS)

In a configuration where your credit card swipe is connected to your PC and your credit card software (e.g. X-Charge) is on your PC, the cardholder data goes from the swipe, into X-Charge, and then X-Charge transmits data over SSL.

In a VPS configuration, X-Charge is no longer installed on your computer – no software is installed on your computer.  Instead, you connect to your VPS over an open, public network (i.e. the Internet) via Remote Desktop.  X-Charge is running on the VPS “up there,” away from your computer.  When you swipe the card, it goes through the swipe and out across the public Internet.  Remote Desktop does not utilize SSL.  Your system administrator must install and configure Secure RDS, configure SSL, etc.

These are facts and the reason we share this sort of information, is because store owners are ultimately the ones who are held accountable for PCI DSS Compliance.  It’s common sense and best-practice NOT to swipe credit cards across RDP.  If best-practice isn’t enough, then the PCI DSS should be.

I am a consignment software specialist, System Administrator for hundreds of consignment workstations across North America, and developer of Peeps' Software! I've been helping consignment & resale store-owners since 2003. I started The Computer Peeps in February of 2010. After 18+ years of working with consignment stores, I understand the unique challenges consignment & resale store-owners face. From electrical issues in old building or strip malls, to advocating for them when their consignment software keeps crashing. I now manage hundreds of computer systems, servers & websites for store-owners all across North America and I am the developer/programmer of Peeps' Software -- the only software written FOR consignment & resale stores specifically.

Leave a Comment

Your email address will not be published. Required fields are marked *


Back To Top