Re: PCI compliance on a university network

[Paul Kendall <PKendall () ACCUDATASYSTEMS COM>]

FWIW: Our advice to clients has been to use two machines. Virtual machines at the desktop do not provide sufficient 
separation of the card and non-card functions.

On policies, we generally expect to see the following (at a minimum):
a.      Acceptable Use Policy
b.      Access Controls Policy
c.      Asset Classification policy
d.      Business Continuity Planning
e.      Computer and System Management
f.      Configuration and Hardening Standards
g.      Data Retention and Handling
h.      Disaster Recovery
i.      Firewall and Network Administration Policy      
j.      HR Hiring Practices
k.      Legal contracts with third parties that handle credit card data
l.      Device Patching Policy
m.      Personnel Security
n.      Physical Security
o.      Security Training
p.      System Development and Maintenance
q.      Wireless Policy
r.      Incident Response

Be sure that the policy statements, where appropriate, specifically call out protection of cardholder data. In many 
instances, PCI standards require that cardholder data measurements be called out in the documents, as opposed to a 
standardized statement.

Paul
========================================
Paul L. Kendall, PhD, CGEIT, CISM, CISSP, CSSLP
PCI Qualified Security Assessor
Chemical-terrorism Vulnerability Information (CVI) Authorized User
Senior Security Consultant
Accudata Systems, Inc.
15305 Dallas Parkway, Suite 300
Dallas, TX 75001
(817) 496-6450 Fort Worth Office
(877) 832-6013 Fort Worth FAX
(800) 246-4908 Corporate Office
(281) 897-5001 Corporate FAX
(713) 446-5259 Cell
http//www.accudatasystems.com


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Daniel 
Adinolfi
Sent: Tuesday, December 22, 2009 8:52 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI compliance on a university network

On Dec 22, 2009, at 09:12, Flynn, Gerald wrote:

> >
> 6) Instead of giving people two computers, use virtual machines.
>   Base machine will be treated as described above. A virtual machine
>   on that machine will be used to perform non-card functions. The
>   traffic associated with the virtual machine will have its own
>   IP address.

I'm not too sure this would pass the scoping test.  VMs are (fairly)  
trivial to escape from.  If I were an auditor, I would not be happy  
with credit card transactions and out of scope usage happening on the  
same box.  In general, we (Cornell) consider a VM to be an  
insufficient partitioning device.  We are forcing folks to have  
separate hardware for their PCI-related activities.

You may also want to look into pushing people to use Verifone-style  
card readers.  For some applications, they only need to enter the  
credit card number once and never worry about it again.  Using a  
telephone-based card swipe/pin-pad reduces the scope for them  
significantly.

-Dan