Educause Security Discussion mailing list archives

Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution?

From: Brian Epstein <bepstein () IAS EDU>
Date: Mon, 22 Feb 2016 11:57:06 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Brian,

We haven't done any kiosks, but we do have an ATM that is set up
similarly.  It has worked well and allowed us to keep the
responsibility of the data off of our shoulders.

Thanks,
ep

On 02/22/2016 11:55 AM, Brian Griffith wrote:

We've toyed around with using iPads with cellular modems for this 
purpose (kiosks).  Encrypted, keeps it off our network, sandboxed,
etc. Has anybody gone this route or have positive or negative
feedback on that idea?

Thanks,

Brian W. Griffith Information Security Officer Whitman College 
griffibw () whitman edu <mailto:griffibw () whitman edu>


On Mon, Feb 22, 2016 at 7:23 AM, David Sheryn <dsheryn () london edu 
<mailto:dsheryn () london edu>> wrote:

Hi,

Like Kevin, I'm not a qualified ISA, but my understanding of the 
situation is as follows:

"If the payment page is securely hosted, and the CDN is properly 
protected, then a kiosk machine on your network is no different
from a student user a computer at home to make the same payment."

The difference is that if the payment is solicited by your 
organisation AND you run the equipment on which you solicit the 
payment (or at least if your organisation 'advertises' or
'notifies' that you are providing equipment for the purpose of
making a payment) then it is *that* which puts the kiosk into scope
for your PCI compliance. The other key difference is that the
student's own PC is likely to only have their own CHD going through
it, whereas your kiosk is likely to have multiple people's CHD
going through it, making it a more fruitful place to attack.

"This kiosk would have to be pretty tightly controlled to ensure
no physical or software key loggers are installed, and routinely 
malware/virus scanned. I'd lock it down with GPO or a specialized 
software to ensure integrity."

Absolutely.  Or rebuild it every night with a known clean image?

"I assume there are other machines on your network where employees 
are able to enter CC#, isn't this the same basic concept?"

If employees are able to enter CHD (CC#) on a customer's behalf, 
then all of the infrastructure touched by the CHD, and everything 
connected directly to it, is in scope for PCI compliance.  Card 
Holder Data is very toxic, from a PCI compliance perspective...
:-/

Regards

-- David Sheryn | Information Security Specialist | Information
Technology. London Business School | Regent's Park | London NW1 4SA
| United Kingdom. Switchboard +44 (0)20 7000 7000 
<tel:%2B44%20%280%2920%207000%207000> | Direct line +44 (0)20 7000 
7776 <tel:%2B44%20%280%2920%207000%207776>

www.london.edu <http://www.london.edu> | London experience. World 
impact.


-----Original Message----- From: The EDUCAUSE Security Constituent
Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU 
<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Kevin Reedy 
Sent: 22 February 2016 14:50 To: SECURITY () LISTSERV EDUCAUSE EDU 
<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY]
Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal
Solution?

Mandi,

While admittedly no a PCI expert, I think I know it pretty well. 
I'm a bit confused as to what it is you are looking for.  If the 
payment page is securely hosted, and the CDN is properly
protected, then a kiosk machine on your network is no different
from a student user a computer at home to make the same payment.

This kiosk would have to be pretty tightly controlled to ensure no 
physical or software key loggers are installed, and routinely 
malware/virus scanned. I'd lock it down with GPO or a specialized
software to ensure integrity.

I assume there are other machines on your network where employees 
are able to enter CC#, isn't this the same basic concept?

I guess I'm missing the part of PCI you are looking to satisfy
aside from those listed above?

-Kevin



From:   Mandi Witkovsky <witkovsm () IPFW EDU
<mailto:witkovsm () IPFW EDU>> To:     SECURITY () LISTSERV EDUCAUSE EDU 
<mailto:SECURITY () LISTSERV EDUCAUSE EDU>, Date:   02/18/2016 11:52
AM Subject:        [SECURITY] Anyone have a PCI/DSS 3.1 Compliant 
Unattended Payment Terminal Solution? Sent by:        The EDUCAUSE
Security Constituent Group Listserv 
<SECURITY () LISTSERV EDUCAUSE EDU 
<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>



We have a strong desire by administration to provide a payment 
terminal/kiosk for students to may payments.  We have always had 
issues providing a compliant kiosk, and in fact have stripped them 
out of our environment because we don’t have the manpower to 
maintain it.

Is anyone using (or know of) hardware/service to outsource this 
functionality?

Thanks, mandi

This message and any attachments contain confidential Excelsior 
College information intended for the specific individual and 
purpose. If you are not the intended recipient, you should notify 
the College and delete this message. Any disclosure, copying, 
distribution or inappropriate use of this message is strictly 
prohibited.




- -- 
Brian Epstein <bepstein () ias edu>                     +1 609-734-8179
Manager, Network and Security           Institute for Advanced Study
Key fingerprint = A6F3 9F5A 26C5 5847 79ED  C34C C0E5 244A 55CA 2B78
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWyz3iAAoJEMDlJEpVyit49SwQAKaQXjKSQ2qrvEmG4y99v1Bt
U88zbFfxMLSPnCgAYHNS0wo5OCeyYwGbStskpqF1p48uwZDZyTM9FlQ2nOf255EJ
mehIUR714LAq5hS4JWHlUB32z3bvX6T1vpo8v+vo1gRv+NElZw9zxedVsPSQVhpG
rUz7UIS4Y81wj3UtwQSLA8lOVOgM/aQCBdk1cqERknGLzit/1vxP9d/8/8hLbW+d
++oT4ZmWp+PgCOYWkVeBdcvQpESlgRdxqcuedWq5/hNydzTrzjuWPzanvta46M18
CGNyETLkkPyvdaW7cQ0KGNg52Bolqmdx83EkCX3nJCTip8UzSwFHQXM2/jmPkZXU
7Bmgzuhb++ttqUN5zs7QXHM50QWAfQ6wSaR4/+QbrtI3bVS6I/jJ3Xm+GamRCm+g
psuVtnuNrGr/TsbcLYY9FJMqEgn401ezsyngzYXiy73TT5l0CtR6GknlDQFcWV32
pApiEnqRIKz60xImcS8xEhjFeOiFSwlyE32Llt8ZE6UIIuGQqq4cMl/OmtNUde5L
DGwUpwNI0QEvNNKtPpIvjQ+G3kQvxjOHVOBjsu6TWaAPhX9TsdfZBEVpyk7v7JwA
lhkw6rkCtiynYMLVznWFWtrA4rTzE2Deq4Eqw1uiW8RFm23WsE5lx572xolcUHyg
h5amy3wMzhGr4WqaEApr
=jhhx
-----END PGP SIGNATURE-----

Current thread:

Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution?, (continued)
- Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Bruce Curtis (Feb 19)
- Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Kevin Reedy (Feb 22)
  - Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Erlenbeck, Philip (Feb 22)
  - Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? David Sheryn (Feb 22)
    - Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Kevin Reedy (Feb 22)
    - Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? David Sheryn (Feb 22)
    - Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Sprague, Randy (Feb 22)
    - Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Giesige, Rich (Feb 22)
    - Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Kevin Reedy (Feb 22)
    - Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Brian Griffith (Feb 22)
    - Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Brian Epstein (Feb 22)
    - Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? David Curry (Feb 22)
    - Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Giesige, Rich (Feb 22)
    - Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? McClenon, Brady (Feb 22)
- Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Mark I. Berman (Feb 19)