[PeterisP]

It's kind of interesting, is it common for you to have Win10 systems in scope for PCI compliance?

It seems unusual to me if any desktop systems are anywhere close to card data, IMHO usually you'd have in scope only a bunch of servers (so, Linux or Windows Server for normal businesses who don't have a reason to wrestle mainframes) in an isolated network, but most of company computers including all the user desktops shouldn't have a way to touch in-scope data or systems in any way whatsoever, so if they're properly isolated (as they should be anyway) they would be out of scope for most of PCI DSS requirements.

[labcomputer]

Wouldn't call centers for online retailers need compliant desktops? How do they deal with customers who prefer to call an agent and read their card number over the phone?

[hobarrera]

I wouldn't assume these sort of desktops would even run windows at all.

A large BestBuy-like place here in Argentina has their sales terminals boot over PXE into some form of *nix straight to the sales systems with no real internet.

A bank nearby boots the account executive's systems right into KDE, on some pretty locked machines.

Windows 10 in any of those scenarios would be a laugh, I can't even being to think why someone would pick it for anything that requires security audits.

[posguy]

Its depressingly popular in the US for small & mid-size retailers and businesses. NCR, Loc, IT Retail, et all are built for Windows, and in the pharmacy arena you've got major companies like CVS using stuff from companies like Integra (not the telecom company, the pharmacy one) that thinks moving to SQL Server 2008 and C# with a full rewrite is the route to go for their major PCI compliant products.

It confounds me that locking yourself into a shrinking platform is what these players choose to do. Walmart doesn't use Windows in PCI related situations, nor do the big boys, all are on SLES running a POS atop that.

If your gonna do a rewrite, why lock yourself into one OS and into one database? Database connectors are a thing, and they aren't hard to use...

[hvidgaard]

In all fairness, writing in C# and targeting SQL Server is not locking you into Windows unless you use WPF or other Windows specific parts of the framework.

[posguy]

O_o

Sure, you can technically run C# on a Linux box (eg: Debian), but the last few times I had to (to interface with some point of sale hardware) I literally ended up just rewriting the driver in python. No desire to maintain something so foreign to the rest of the codebase when python can handle serial devices just fine.

Wrt not using a database connector, just why? Your literally locking yourself to the SQL Server licensing model, which blows up when you allow BYOD on every android phone, and they're all connecting back to your SQL server. Postgres and MariaDB meanwhile have no issues. Let alone if you hit the 10GB DB size cap, or need more than 1 cpu core or 1GB of ram to cache your database.

[hvidgaard]

Are you aware that .netcore natively runs on a variety of systems now?

If you make your systems such that you are dependent on SQL Server and cannot switch it to something else, then it's just a shame, but don't blame SQL Server for that. Besides, unless you have massive performance requirements, it should be behind an API anyway. It doesn't take much to code, and it increases modularity a lot.

[taspeotis]

Minor point but it's four cores now [1].

[1] https://www.microsoft.com/en-au/sql-server/sql-server-2016-e...

[slowmotiony]

Not sure why you're getting downvoted. We use .net core together with SQL Server on Linux boxes in production, no issues whatsoever and we can finally use a programming language which is actually pleasurable to code in.

[skrowl]

You know exactly why he's getting downvoted. Saying positive things about Microsoft is very unpopular here on HN.

[PeterisP]

Retailer customer service people generally do not need compliant desktops, because the systems they can access should not be storing protected data - maybe it would contain masked PAN i.e. the last four digits, but definitely nothing more.

For phone authorizations (if they are used - it may be a regional thing as most smaller online retailers here won't do it at all, banks really frown on merchants who do so because of risks and make it really expensive), generally the agent would use a similar interface as an online customer (encrypted channel, yadda yadda), and the card information would not be stored anywhere on that machine. Whether all kinds of PCI DSS security requirements would apply to these workstations is debatable, your mileage may vary, I've seen them considered out of scope - but in that case it wasn't really a call center for taking transactions but a support call center that might also handle a phone authorization in rare cases.

In any case, for a call center the biggest PCI compliance problem IMHO is handling the sensitive data in call recordings.

[snomad]

I lot of these places still use old fashioned terminals. The hardware is cheap, lasts years, and no PC headaches.