Educause Security Discussion mailing list archives
Re: PCI and common access computers
From: "Eric C. Lukens" <eric.lukens () UNI EDU>
Date: Thu, 25 Mar 2010 09:08:58 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've asked that question too and it seems to boil down to the computer's purpose for being located where it is and what it is intended to be used for. As always, the QSA that audits you is entitled to their own opinion. If the machine is purposefully located and intended for people to enter their CC on it, its definitely in-scope. If the machine is touted by your employees as being capable of online/electronic purchases for public use (public here includes anyone you'd sell services/products to), its almost certainly in-scope. If the machine is in a location where people are highly-likely to think the computer is there for their online/electronic purchases, its probably in-scope. Think of a public computer right next to a ticket counter. People see the long line and think, oh, I'll just go take care of it online instead. If the machine is just there for people to use for whatever, and somebody decides, "Hey, I want to buy stuff online." Then its probably not in-scope, but you should still take some measures to protect security, otherwise you'd probably still be called out on a breach. I got the impression from our QSA that if there are "public" computers that still require username/password to get into, and they're located all over campus for general use, those would not likely be considered an in-scope system--just like computer labs. That said, getting a QSA to say anything definitively is like trying to nail Jello to the ceiling. - -Eric - -------- Original Message -------- Subject: [SECURITY] PCI and common access computers From: Flynn, Gary <flynngn () JMU EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Date: 3/25/10 8:45 AM
It has been suggested that these types of computers that people could use to perform credit card transactions may be in-scope for PCI compliance requirements. Anyone heard anything like that? I don't see how it could ever work as you couldn't restrict the access to the credit card requesting sites because they could be anywhere. And you really couldn't reliably prevent people from typing them either.
- -- Eric C. Lukens IT Security Policy and Risk Assessment Analyst ITS-Network Services Curris Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121 319-273-7434 http://www.uni.edu/elukens/ http://weblogs.uni.edu/elukens/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkurbnoACgkQN+w4PqsMNp0sWgCfZhCp5GWMNXzUZvVR1nPDgdds 8+AAnjGaJrYO8m289IWhR05fGNvQmqZ5 =2Ohs -----END PGP SIGNATURE-----
Current thread:
- PCI and common access computers Flynn, Gary (Mar 25)
- <Possible follow-ups>
- Re: PCI and common access computers Chris Green (Mar 25)
- Re: PCI and common access computers Zach Jansen (Mar 25)
- Re: PCI and common access computers Patrick Laughran (Mar 25)
- Re: PCI and common access computers Ewing, Ashley (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Patricia Vendt (Mar 25)
- Re: PCI and common access computers Patricia Vendt (Mar 25)
- Re: PCI and common access computers Blake Penn (Mar 25)
- Re: PCI and common access computers Basgen, Brian (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)
- Re: PCI and common access computers Mayne, Jim (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Blake Penn (Mar 25)
(Thread continues...)