Re: PCI DSS interpretation questions

["Pace, Guy" <gpace () CIS CTC EDU>]

With regard to 8.3, two-factor authentication standard definition is "something you know and something you have." 
Something you know is a password or passphrase or some other secret. Something you have is a keycard (token), 
fingerprint or iris (biometric), RSA card--something physical (maybe with a certificate) and difficult to duplicate. 
Two-factor would definitely _not_ be two passwords or two fingerprints. The idea is to reduce the possibility of 
impersonation and increase the confidence in the identity.

1.3.9 is one of those things that may be workable or not depending on the political climate of your organization. As 
for are personally owned computers in the scope for compliance? Yes, so long as they are used to access the portion of 
your network where transaction processing involving credit cards is done. This is where you need to look at the policy 
you have in place and what controls it addresses for use of personally owned equipment to conduct financial 
transactions--or even be in the same network segment where financial transactions are conducted.

This can get dicey for some small colleges where the network is flat and administrative, cashiering and student 
activities are not separated.

Guy L. Pace, CISSP
Security Administrator
Center for Information Services (CIS)
3101 Northup Way, Suite 100
Bellevue, WA 98004
425-803-9724

gpace () cis ctc edu

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of CTSO 
(Michael A. Rodriguez)
Sent: Wednesday, June 11, 2008 10:32 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI DSS interpretation questions

I would appreciate interpretations on the following PCI items.

8.3. Is two-factor authentication implemented for remote access to the network by employees, administrators, and third 
parties? Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller 
access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates.

On 8.3, I read it as a requirement for multi-factor authentication and not two instances of the same factor. Some folks 
around here are taking the word two-factor to refer to the latter.

1.3.9. Include installation of personal firewall software on any mobile and employee-owned computers with direct 
connectivity to the internet (for example, laptops used by employees), which are used to access the organization’s 
network?

This one is an interpretation of scope. The part about employee-owned concerns me as it would appear to imply 
installing stuff on personally owned computers. The bigger question is can requirements like this be interpreted to 
refer only to computers, networks or devices known to hold cardholder data? The same argument can be made for other 
requirements involving end point security like 6.1 on patching and 5.1 on anti-virus. I know the security answer is 
they are all in scope but what is the compliance answer?

Thanks,

--
Michael A. Rodriguez, CISSP
Chief Technology Security Officer
Western Illinois University
ma-rodriguez2 () wiu edu