Educause Security Discussion mailing list archives
Re: PCI QUESTION
From: "McClenon, Brady" <Brady.McClenon () ONEONTA EDU>
Date: Tue, 9 Aug 2016 18:37:13 +0000
“Your e-commerce website is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate the website from all other systems)” I don’t find this verbiage in the PCI-DSS 3.2 or any of the associated SAQs. Where do you find it? Brady McClenon Information Technology Security Administrator Information Technology Services - IT Security B237 Milne Library SUNY College at Oneonta 607-436-3203 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Conlee, Keith Sent: Tuesday, August 09, 2016 11:18 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI QUESTION Barton, Robert W." <bartonrt () LEWISU EDU<mailto:bartonrt () LEWISU EDU>> has asked how people are interpreting the following statement “Your e-commerce website is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate the website from all other systems)” What I have researched this to understand is that your e-commerce website must be physically off the College network so that other infected (non PCI scope) systems on the network cannot infect your PCI system (more importantly cannot infect your POS devices). Even if you have a 3rd party providing the pages to input CC information, if the CC number goes over your network (i.e. the POS devices are connected to your network) it must be on its own physical network. This is an attempt by PCI SSC to limit POS malware infection. As you know POS malware infection has been the major CC attack vector for the past few years. A lot of institutions have move the CC processing to a third party in the cloud but still have a cashier function or POS devices connected to their network. That does not cut it for the statement above. The only way to not have the statement apply to the College is to move all CC processing to 3rd party and only have P2PE devices on your network. I hope this helps answer your question. Keith Conlee, JD, MS/BS, PCIP, CISSP, CISA, CBCP Chief Security Officer, IT College of DuPage 425 Fawell Blvd. Glen Ellyn, IL 60137-6599 Ph. - 630.942.3055 conlee () cod edu<mailto:conlee () cod edu> -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SECURITY automatic digest system Sent: Thursday, August 04, 2016 11:00 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: SECURITY Digest - 3 Aug 2016 to 4 Aug 2016 (#2016-116) There are 5 messages totalling 888 lines in this issue. Topics of the day: 1. Use of PIN for Self Service Password Reset 2. PCI Question (3) 3. 7 question survey on privileged access to sensitive data from Teachers College ---------------------------------------------------------------------- Date: Thu, 4 Aug 2016 10:57:13 -0400 From: Frank Barton <bartonf () HUSSON EDU<mailto:bartonf () HUSSON EDU>> Subject: Re: Use of PIN for Self Service Password Reset Steve, I would recommend against this - in effect you are proposing to create a 4-character password for folks to access their accounts Frank On Wed, Aug 3, 2016 at 5:52 PM, Steve Munson <smunson () marymount edu<mailto:smunson () marymount edu>> wrote:
Thank you for the responses. The PIN I am referring to is for the user to confirm identify so that it "can be used ad-nauseam to reset". Steve On 8/3/16 4:33 PM, Thomas Carter wrote: In a past life in the corporate world, we used base 32 ( https://en.wikipedia.org/wiki/Base32) for easy OCR reading. The downside is communicating this to end users (I.E. the digit 1 will never occur because it’s too similar to the letter “eye” I. Thomas Carter Network & Operations Manager Austin College *From:* The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>] *On Behalf Of *Frank Barton *Sent:* Wednesday, August 3, 2016 7:29 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> *Subject:* Re: [SECURITY] Use of PIN for Self Service Password Reset One Caveat that I would strongly suggest if you are using an alphanumeric PIN (and I'm not sure if you mean One-Time-Password, or a user set PIN that can be used ad-nauseam to reset) is to avoid the use of confusing characters (Il1oO0) unless you can control the interface in such a way as to make them very clearly distinct (upper case "I" having the top and bottom cross-bars, "0" having a center diagonal, etc) Frank On Wed, Aug 3, 2016 at 7:52 AM, Steve Munson <smunson () marymount edu<mailto:smunson () marymount edu>> wrote: We are moving to a use of 4 character PIN for self service password reset and am interested to see what standards others have established for PINs. For example, we are considering setting the PIN requirement to be at least 2 characters and 2 numbers. We are planning to use alphanumeric PIN instead of numeric to provide opportunity for more PIN complexity versus numeric only but interested in feedback/perspective from this group. Regards, Steve Munson Executive Director, IT Services Marymount University Arlington, Virginia -- Frank Barton ACMT IT Systems Administrator Husson University
-- Frank Barton ACMT IT Systems Administrator Husson University ------------------------------ Date: Thu, 4 Aug 2016 20:44:36 +0000 From: "Barton, Robert W." <bartonrt () LEWISU EDU<mailto:bartonrt () LEWISU EDU>> Subject: PCI Question Afternoon, We are working though our PCI DSS compliance, and I was wondering how people understood, and then implemented a solution for this statement. “Your e-commerce website is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate the website from all other systems)” The wording has led to a few questions, and I want to see what others are thinking/doing. If you do not want to reply to the list, feel free to send me a private email. Robert W. Barton Director of Information Security Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. ------------------------------ Date: Thu, 4 Aug 2016 20:49:55 +0000 From: Charles Curtis <ccurtis () AUSTINCOLLEGE EDU<mailto:ccurtis () AUSTINCOLLEGE EDU>> Subject: Re: PCI Question For us this means that a transaction on our website immediately sends encrypted information to our 3rd party payment processor and there is never a College system involved nor unencrypted data anywhere on College computers/servers. Charles Curtis Executive Director of Information Technology Austin College 900 North Grand Avenue Sherman, TX 75090-4400 Phone: 903.813.2088 www.austincollege.edu<http://www.austincollege.edu/<http://www.austincollege.edu%3chttp:/www.austincollege.edu/>> [http://www.austincollege.edu/images/AusColl_Logo_Email.gif] From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barton, Robert W. Sent: Thursday, August 4, 2016 3:45 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] PCI Question Afternoon, We are working though our PCI DSS compliance, and I was wondering how people understood, and then implemented a solution for this statement. “Your e-commerce website is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate the website from all other systems)” The wording has led to a few questions, and I want to see what others are thinking/doing. If you do not want to reply to the list, feel free to send me a private email. Robert W. Barton Director of Information Security Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. ------------------------------ Date: Thu, 4 Aug 2016 15:59:57 -0500 From: Ted Wilder <twilder () MACALESTER EDU<mailto:twilder () MACALESTER EDU>> Subject: Re: PCI Question In the past, I've used direct-post (or other options available by credit card processor services) to move e-commerce sites out of PCI-DSS scope. The options available are dependent on your credit card processor. Ted Wilder Associate Director Information Technology Services Macalester College On Thu, Aug 4, 2016 at 3:44 PM, Barton, Robert W. <bartonrt () lewisu edu<mailto:bartonrt () lewisu edu>> wrote:
Afternoon, We are working though our PCI DSS compliance, and I was wondering how people understood, and then implemented a solution for this statement. “Your e-commerce website is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate the website from all other systems)” The wording has led to a few questions, and I want to see what others are thinking/doing. If you do not want to reply to the list, feel free to send me a private email. Robert W. Barton Director of Information Security Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
------------------------------ Date: Thu, 4 Aug 2016 22:29:13 -0400 From: Lawrence Furnival <lrf10 () TC COLUMBIA EDU<mailto:lrf10 () TC COLUMBIA EDU>> Subject: 7 question survey on privileged access to sensitive data from Teachers College Teachers College CISO asks if anyone would like to take a short informal survey (2 minutes max) to collect ideas on what universities or colleges are doing about privileged access, legal holds etc. We will post the results here. https://tccolumbia.qualtrics.com/jfe/form/SV_b1xxGEKHDDqSgZv <https://tccolumbia.qualtrics.com/jfe/form/SV_b1xxGEKHDDqSgZv> Lawrence Furnival Enterprise/Security Architect Teachers College, Columbia University "Доверяй, но проверяй.” — Ronald Reagan ------------------------------ End of SECURITY Digest - 3 Aug 2016 to 4 Aug 2016 (#2016-116) *************************************************************
Current thread:
- PCI Question Barton, Robert W. (Aug 04)
- Re: PCI Question Charles Curtis (Aug 04)
- Re: PCI Question Ted Wilder (Aug 04)
- <Possible follow-ups>
- Re: PCI QUESTION Conlee, Keith (Aug 09)
- Re: PCI QUESTION McClenon, Brady (Aug 09)
- Re: PCI QUESTION Kevin Reedy (Aug 09)
- Re: PCI QUESTION Velislav K Pavlov (Aug 09)
- Re: PCI QUESTION Hendra Hendrawan (Aug 09)
- Re: PCI QUESTION McClenon, Brady (Aug 09)