Educause Security Discussion mailing list archives
Re: PCI DSS interpretation questions
From: "Pace, Guy" <gpace () CIS CTC EDU>
Date: Wed, 11 Jun 2008 11:07:31 -0700
With regard to 8.3, two-factor authentication standard definition is "something you know and something you have." Something you know is a password or passphrase or some other secret. Something you have is a keycard (token), fingerprint or iris (biometric), RSA card--something physical (maybe with a certificate) and difficult to duplicate. Two-factor would definitely _not_ be two passwords or two fingerprints. The idea is to reduce the possibility of impersonation and increase the confidence in the identity. 1.3.9 is one of those things that may be workable or not depending on the political climate of your organization. As for are personally owned computers in the scope for compliance? Yes, so long as they are used to access the portion of your network where transaction processing involving credit cards is done. This is where you need to look at the policy you have in place and what controls it addresses for use of personally owned equipment to conduct financial transactions--or even be in the same network segment where financial transactions are conducted. This can get dicey for some small colleges where the network is flat and administrative, cashiering and student activities are not separated. Guy L. Pace, CISSP Security Administrator Center for Information Services (CIS) 3101 Northup Way, Suite 100 Bellevue, WA 98004 425-803-9724 gpace () cis ctc edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of CTSO (Michael A. Rodriguez) Sent: Wednesday, June 11, 2008 10:32 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI DSS interpretation questions I would appreciate interpretations on the following PCI items. 8.3. Is two-factor authentication implemented for remote access to the network by employees, administrators, and third parties? Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates. On 8.3, I read it as a requirement for multi-factor authentication and not two instances of the same factor. Some folks around here are taking the word two-factor to refer to the latter. 1.3.9. Include installation of personal firewall software on any mobile and employee-owned computers with direct connectivity to the internet (for example, laptops used by employees), which are used to access the organization’s network? This one is an interpretation of scope. The part about employee-owned concerns me as it would appear to imply installing stuff on personally owned computers. The bigger question is can requirements like this be interpreted to refer only to computers, networks or devices known to hold cardholder data? The same argument can be made for other requirements involving end point security like 6.1 on patching and 5.1 on anti-virus. I know the security answer is they are all in scope but what is the compliance answer? Thanks, -- Michael A. Rodriguez, CISSP Chief Technology Security Officer Western Illinois University ma-rodriguez2 () wiu edu
Current thread:
- PCI DSS interpretation questions CTSO (Michael A. Rodriguez) (Jun 11)
- <Possible follow-ups>
- Re: PCI DSS interpretation questions Pace, Guy (Jun 11)