Educause Security Discussion mailing list archives

Re: PCI and common access computers

From: "Flynn, Gary" <flynngn () JMU EDU>
Date: Thu, 25 Mar 2010 11:36:20 -0400

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ewing, Ashley
Sent: Thursday, March 25, 2010 10:07 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI and common access computers

I have been told by our QSA, Trustwave and auditors at PwC that they
are in scope.  An employee entering a credit card on a university owned
machine going through a university network to the payment process on
site or off site is in scope along with the path as part of a
university payment process.  Not an individual making a personal
purchase, but the ticketing office, advancement/alumni, continuing
studies programs, etc., taking customer credit cards via phone, fax or
paper.

We are testing the use of a small PCs that shares the keyboard, mouse
and monitor with the primary desktop, and runs software that will
lockdown the device to the payment processes only on an isolated
network segment (completely separate from any wireless network access).
This reduces the risk associated with email, web surfing and network
sniffing.

Feel free to contact me offline if you have any questions.


We are also addressing these computers (ticket office, advancement, etc). 
We're providing second computers, generally from surplus, and putting 
a dedicated Cisco ASA 5505 firewall in front of them.

But I was told that other computers, specifically general purpose kiosks, 
may also be in scope. Then I began wondering about lab computers. Or
computers that some offices make available as a convenience courtesy to 
students visiting their offices for some other service. It quickly gets
out of hand. But by strict definition, they would all be university owned 
computers through which students, faculty, staff, and/or the general 
public (in the libraries or during special events) may transmit credit 
cards.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Flynn, Gary
Sent: Thursday, March 25, 2010 8:46 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI and common access computers

It has been suggested that these types of computers that people could
use
to perform credit card transactions may be in-scope for PCI compliance
requirements. Anyone heard anything like that? I don't see how it could
ever work as you couldn't restrict the access to the credit card
requesting
sites because they could be anywhere. And you really couldn't reliably
prevent people from typing them either.

Current thread:

Re: PCI and common access computers, (continued)
- Re: PCI and common access computers Patrick Laughran (Mar 25)
- Re: PCI and common access computers Ewing, Ashley (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Patricia Vendt (Mar 25)
- Re: PCI and common access computers Patricia Vendt (Mar 25)
- Re: PCI and common access computers Blake Penn (Mar 25)
- Re: PCI and common access computers Basgen, Brian (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)
- Re: PCI and common access computers Mayne, Jim (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Blake Penn (Mar 25)
- Re: PCI and common access computers John Ladwig (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Ewing, Ashley (Mar 25)
- Re: PCI and common access computers Patrick Ouellette (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)