Educause Security Discussion mailing list archives
Re: mobile POS system
From: Scott Weyandt <scott.weyandt () MORANTECHNOLOGY COM>
Date: Tue, 5 Aug 2008 12:54:02 -0700
Mark, Our experience is that a very limited number of our clients (educational institutions and businesses alike) utilize wireless with their payment applications. Regarding a Point of Sale (PoS application), this may fall under the scope of PABP soon to be PA-DSS. These 2 standards apply to software vendors and others who develop payment applications that store, process or transmit cardholder data as part of authorization or settlement, where these payment applications are sold or distributed to third parties. However, PABP and PA-DSS do not apply to payment software developed in-house (not sold to a third party), in this case it would be covered as part of the merchant's service provider's normal PCI DSS compliance. Regarding wireless applications and payment applications using wireless technology the wireless technology must be securely implemented. For wireless networks transmitting cardholder data, encrypt the transmission by using WiFi protected accesses (WPA or WPA2) technology, IPSEC, VPN or SSL/TLS. Never rely on exclusively wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. . If WEP is used reference PCI DSS Requirement 4.1.1 for details of using WEP. Experientially, most of the limited customers who uses wireless technology for payment applications use a Unix platform and have an excellent key management processes in place. Hope this helps. Scott ***************************************************************** Scott Weyandt, PhD Director, Security and Infrastructure Planning Moran Technology Consulting 3306 Donna Drive Carlsbad, CA 92008 877-214-2980 (Voice & Fax) Website: www.MoranTechnology.com ***************************************************************** -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Monroe Sent: Tuesday, August 05, 2008 7:32 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] mobile POS system Does anyone out there support mobile POS systems with PCI compliance? If so, what systems are you running, how do you handle the wireless networking, and what restrictions do you have on it? I have all of the official PCI guidelines, it just seems that wireless and pci do not really mix. Thank You, Mark Monroe
Current thread:
- mobile POS system Mark Monroe (Aug 05)
- <Possible follow-ups>
- Re: mobile POS system Megan Carney (Aug 05)
- Re: mobile POS system Bill Terry (Aug 05)
- Re: mobile POS system Valdis Kletnieks (Aug 05)
- Re: mobile POS system Scott Weyandt (Aug 05)
- Re: mobile POS system Ellen Smout (Aug 05)
- Re: mobile POS system Memisyazici, Aras (Aug 06)
- Re: mobile POS system Mark Monroe (Aug 06)