Re: PCI QUESTION

["McClenon, Brady" <Brady.McClenon () ONEONTA EDU>]

“Your e-commerce website is not connected to any other systems within your environment (this can be achieved via 
network segmentation to isolate the website from all other systems)”

I don’t find this verbiage in the PCI-DSS 3.2 or any of the associated SAQs.  Where do you find it?


Brady McClenon
Information Technology Security Administrator
Information Technology Services - IT Security
B237 Milne Library
SUNY College at Oneonta
607-436-3203





From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Conlee, 
Keith
Sent: Tuesday, August 09, 2016 11:18 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI QUESTION



Barton, Robert W." <bartonrt () LEWISU EDU<mailto:bartonrt () LEWISU EDU>> has asked how people are interpreting the 
following statement
“Your e-commerce website is not connected to any other systems within your environment (this can be achieved via 
network segmentation to isolate the website from all other systems)”


What I have researched this to understand is that your e-commerce website must be physically off the College network so 
that other infected (non PCI scope) systems on the network cannot infect your PCI system (more importantly cannot 
infect your POS devices).  Even if you have a 3rd party providing the pages to input CC information, if the CC number 
goes over your network (i.e. the POS devices are connected to your network) it must be on its own physical network.  
This is an attempt by PCI SSC to limit POS malware infection.  As you know POS malware infection has been the major CC 
attack vector for the past few years.  A lot of institutions have move the CC processing to a third party in the cloud 
but still have a cashier function or POS devices connected to their network.  That does not cut it for the statement 
above.  The only way to not have the statement apply to the College is to move all CC processing to 3rd party and only 
have P2PE devices on your network.

I hope this helps answer your question.


Keith Conlee, JD, MS/BS, PCIP, CISSP, CISA, CBCP
Chief Security Officer, IT
College of DuPage
425 Fawell Blvd.
Glen Ellyn, IL 60137-6599

Ph. - 630.942.3055
conlee () cod edu<mailto:conlee () cod edu>


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SECURITY 
automatic digest system
Sent: Thursday, August 04, 2016 11:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: SECURITY Digest - 3 Aug 2016 to 4 Aug 2016 (#2016-116)

There are 5 messages totalling 888 lines in this issue.

Topics of the day:

  1. Use of PIN for Self Service Password Reset
  2. PCI Question (3)
  3. 7 question survey on privileged access to sensitive data from Teachers
     College

----------------------------------------------------------------------

Date:    Thu, 4 Aug 2016 10:57:13 -0400
From:    Frank Barton <bartonf () HUSSON EDU<mailto:bartonf () HUSSON EDU>>
Subject: Re: Use of PIN for Self Service Password Reset

Steve, I would recommend against this - in effect you are proposing to create a 4-character password for folks to 
access their accounts

Frank

On Wed, Aug 3, 2016 at 5:52 PM, Steve Munson <smunson () marymount edu<mailto:smunson () marymount edu>> wrote:

> Thank you for the responses. The PIN I am referring to is for the user
> to confirm identify so that it "can be used ad-nauseam to reset".
>
>
> Steve
>
> On 8/3/16 4:33 PM, Thomas Carter wrote:
>
> In a past life in the corporate world, we used base 32 (
> https://en.wikipedia.org/wiki/Base32) for easy OCR reading. The
> downside is communicating this to end users (I.E. the digit 1 will
> never occur because it’s too similar to the letter “eye” I.
>
>
>
> Thomas Carter
>
> Network & Operations Manager
>
> Austin College
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [
> mailto:SECURITY () LISTSERV EDUCAUSE EDU
> <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>] *On Behalf Of *Frank Barton
> *Sent:* Wednesday, August 3, 2016 7:29 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> *Subject:* Re: [SECURITY] Use of PIN for Self Service Password Reset
>
>
>
> One Caveat that I would strongly suggest if you are using an
> alphanumeric PIN (and I'm not sure if you mean One-Time-Password, or a
> user set PIN that can be used ad-nauseam to reset) is to avoid the use
> of confusing characters (Il1oO0) unless you can control the interface
> in such a way as to make them very clearly distinct (upper case "I"
> having the top and bottom cross-bars, "0" having a center diagonal,
> etc)
>
>
>
> Frank
>
>
>
> On Wed, Aug 3, 2016 at 7:52 AM, Steve Munson <smunson () marymount edu<mailto:smunson () marymount edu>>
> wrote:
>
> We are moving to a use of 4 character PIN for self service password
> reset and am interested to see what standards others have established for PINs.
> For example, we are considering setting the PIN requirement to be at
> least
> 2 characters and 2 numbers. We are planning to use alphanumeric PIN
> instead of numeric to provide opportunity for more PIN complexity
> versus numeric only but interested in feedback/perspective from this group.
>
>
> Regards,
>
> Steve Munson
>
>
> Executive Director, IT Services
>
> Marymount University
>
> Arlington, Virginia
>
>
>
>
>
> --
>
> Frank Barton
>
> ACMT
>
> IT Systems Administrator
>
> Husson University


--
Frank Barton
ACMT
IT Systems Administrator
Husson University

------------------------------

Date:    Thu, 4 Aug 2016 20:44:36 +0000
From:    "Barton, Robert W." <bartonrt () LEWISU EDU<mailto:bartonrt () LEWISU EDU>>
Subject: PCI Question

Afternoon,

We are working though our PCI DSS compliance, and I was wondering how people understood, and then implemented a 
solution for this statement.

“Your e-commerce website is not connected to any other systems within your environment (this can be achieved via 
network segmentation to isolate the website from all other systems)”

The wording has led to a few questions, and I want to see what others are thinking/doing.  If you do not want to reply 
to the list, feel free to send me a private email.

Robert W. Barton
Director of Information Security
Lewis University
One University Parkway
Romeoville, IL  60446-2200
815-836-5663

This message (including any attachments) is intended only for the use of the individual or entity to which it is 
addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from 
disclosure under applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of 
this communication is strictly prohibited. If you have received this communication in error, notify us immediately by 
telephone at (815)-836-5950 and
(i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.

Thank you.

------------------------------

Date:    Thu, 4 Aug 2016 20:49:55 +0000
From:    Charles Curtis <ccurtis () AUSTINCOLLEGE EDU<mailto:ccurtis () AUSTINCOLLEGE EDU>>
Subject: Re: PCI Question

For us this means that a transaction on our website immediately sends encrypted information to our 3rd party payment 
processor and there is never a College system involved nor unencrypted data anywhere on College computers/servers.


Charles Curtis
Executive Director of Information Technology Austin College
900 North Grand Avenue
Sherman, TX 75090-4400
Phone: 903.813.2088
www.austincollege.edu<http://www.austincollege.edu/<http://www.austincollege.edu%3chttp:/www.austincollege.edu/>>
[http://www.austincollege.edu/images/AusColl_Logo_Email.gif]



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barton, 
Robert W.
Sent: Thursday, August 4, 2016 3:45 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] PCI Question

Afternoon,

We are working though our PCI DSS compliance, and I was wondering how people understood, and then implemented a 
solution for this statement.

“Your e-commerce website is not connected to any other systems within your environment (this can be achieved via 
network segmentation to isolate the website from all other systems)”

The wording has led to a few questions, and I want to see what others are thinking/doing.  If you do not want to reply 
to the list, feel free to send me a private email.

Robert W. Barton
Director of Information Security
Lewis University
One University Parkway
Romeoville, IL  60446-2200
815-836-5663

This message (including any attachments) is intended only for the use of the individual or entity to which it is 
addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from 
disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you 
are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. 
If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy 
this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.

------------------------------

Date:    Thu, 4 Aug 2016 15:59:57 -0500
From:    Ted Wilder <twilder () MACALESTER EDU<mailto:twilder () MACALESTER EDU>>
Subject: Re: PCI Question

In the past, I've used direct-post (or other options available by credit card processor services) to move e-commerce 
sites out of PCI-DSS scope. The options available are dependent on your credit card processor.


Ted Wilder
Associate Director
Information Technology Services
Macalester College


On Thu, Aug 4, 2016 at 3:44 PM, Barton, Robert W. <bartonrt () lewisu edu<mailto:bartonrt () lewisu edu>>
wrote:

> Afternoon,
>
>
>
> We are working though our PCI DSS compliance, and I was wondering how
> people understood, and then implemented a solution for this statement.
>
>
>
> “Your e-commerce website is not connected to any other systems within
> your environment (this can be achieved via network segmentation to
> isolate the website from all other systems)”
>
>
>
> The wording has led to a few questions, and I want to see what others
> are thinking/doing.  If you do not want to reply to the list, feel
> free to send me a private email.
>
>
>
> Robert W. Barton
>
> Director of Information Security
>
> Lewis University
>
> One University Parkway
>
> Romeoville, IL  60446-2200
>
> 815-836-5663
>
> This message (including any attachments) is intended only for the use
> of the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential,
> and exempt from disclosure under applicable law or may constitute as
> attorney work product. If you are not the intended recipient, you are
> hereby notified that any use, dissemination, distribution, or copying
> of this communication is strictly prohibited. If you have received
> this communication in error, notify us immediately by telephone at
> (815)-836-5950 and (i) destroy this message if a facsimile or (ii)
> delete this message immediately if this is an electronic communication. Thank you.

------------------------------

Date:    Thu, 4 Aug 2016 22:29:13 -0400
From:    Lawrence Furnival <lrf10 () TC COLUMBIA EDU<mailto:lrf10 () TC COLUMBIA EDU>>
Subject: 7 question survey on privileged access to sensitive data from Teachers College

Teachers College CISO asks if anyone would like to take a short informal survey (2 minutes max) to collect ideas on 
what universities or colleges are doing about privileged access, legal holds etc. We will post the results here.

https://tccolumbia.qualtrics.com/jfe/form/SV_b1xxGEKHDDqSgZv 
<https://tccolumbia.qualtrics.com/jfe/form/SV_b1xxGEKHDDqSgZv>

Lawrence Furnival
Enterprise/Security Architect
Teachers College, Columbia University

"Доверяй, но проверяй.” — Ronald Reagan

------------------------------

End of SECURITY Digest - 3 Aug 2016 to 4 Aug 2016 (#2016-116)
*************************************************************