Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PCI compliance on a university network

From: Daniel Adinolfi <dra1 () CORNELL EDU>
Date: Tue, 22 Dec 2009 09:51:46 -0500
On Dec 22, 2009, at 09:12, Flynn, Gerald wrote:




6) Instead of giving people two computers, use virtual machines.
  Base machine will be treated as described above. A virtual machine
  on that machine will be used to perform non-card functions. The
  traffic associated with the virtual machine will have its own
  IP address.


I'm not too sure this would pass the scoping test.  VMs are (fairly)
trivial to escape from.  If I were an auditor, I would not be happy
with credit card transactions and out of scope usage happening on the
same box.  In general, we (Cornell) consider a VM to be an
insufficient partitioning device.  We are forcing folks to have
separate hardware for their PCI-related activities.

You may also want to look into pushing people to use Verifone-style
card readers.  For some applications, they only need to enter the
credit card number once and never worry about it again.  Using a
telephone-based card swipe/pin-pad reduces the scope for them
significantly.

-Dan
Previous By Date Next
Previous By Thread Next

Current thread: