Educause Security Discussion mailing list archives
Re: PCI compliance on a university network
From: Paul Kendall <PKendall () ACCUDATASYSTEMS COM>
Date: Tue, 22 Dec 2009 09:05:06 -0600
FWIW: Our advice to clients has been to use two machines. Virtual machines at the desktop do not provide sufficient separation of the card and non-card functions. On policies, we generally expect to see the following (at a minimum): a. Acceptable Use Policy b. Access Controls Policy c. Asset Classification policy d. Business Continuity Planning e. Computer and System Management f. Configuration and Hardening Standards g. Data Retention and Handling h. Disaster Recovery i. Firewall and Network Administration Policy j. HR Hiring Practices k. Legal contracts with third parties that handle credit card data l. Device Patching Policy m. Personnel Security n. Physical Security o. Security Training p. System Development and Maintenance q. Wireless Policy r. Incident Response Be sure that the policy statements, where appropriate, specifically call out protection of cardholder data. In many instances, PCI standards require that cardholder data measurements be called out in the documents, as opposed to a standardized statement. Paul ======================================== Paul L. Kendall, PhD, CGEIT, CISM, CISSP, CSSLP PCI Qualified Security Assessor Chemical-terrorism Vulnerability Information (CVI) Authorized User Senior Security Consultant Accudata Systems, Inc. 15305 Dallas Parkway, Suite 300 Dallas, TX 75001 (817) 496-6450 Fort Worth Office (877) 832-6013 Fort Worth FAX (800) 246-4908 Corporate Office (281) 897-5001 Corporate FAX (713) 446-5259 Cell http//www.accudatasystems.com -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Daniel Adinolfi Sent: Tuesday, December 22, 2009 8:52 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI compliance on a university network On Dec 22, 2009, at 09:12, Flynn, Gerald wrote:
6) Instead of giving people two computers, use virtual machines. Base machine will be treated as described above. A virtual machine on that machine will be used to perform non-card functions. The traffic associated with the virtual machine will have its own IP address.
I'm not too sure this would pass the scoping test. VMs are (fairly) trivial to escape from. If I were an auditor, I would not be happy with credit card transactions and out of scope usage happening on the same box. In general, we (Cornell) consider a VM to be an insufficient partitioning device. We are forcing folks to have separate hardware for their PCI-related activities. You may also want to look into pushing people to use Verifone-style card readers. For some applications, they only need to enter the credit card number once and never worry about it again. Using a telephone-based card swipe/pin-pad reduces the scope for them significantly. -Dan
Current thread:
- PCI compliance on a university network Greg Francis (Dec 21)
- <Possible follow-ups>
- Re: PCI compliance on a university network Gary Dobbins (Dec 22)
- Re: PCI compliance on a university network James R. Pardonek (Dec 22)
- Re: PCI compliance on a university network Michael Johnson (Dec 22)
- Re: PCI compliance on a university network Flynn, Gerald (Dec 22)
- Re: PCI compliance on a university network Flynn, Gerald (Dec 22)
- Re: PCI compliance on a university network John Ladwig (Dec 22)
- Re: PCI compliance on a university network Daniel Adinolfi (Dec 22)
- Re: PCI compliance on a university network Paul Kendall (Dec 22)
- Re: PCI compliance on a university network HALL, NATHANIEL D. (Dec 22)
- Re: PCI compliance on a university network Flynn, Gerald (Dec 22)
- Re: PCI compliance on a university network Joel Rosenblatt (Dec 22)
- Re: PCI compliance on a university network Allison Dolan (Dec 22)
- Re: PCI compliance on a university network Flynn, Gerald (Dec 22)
- Re: PCI compliance on a university network John Ladwig (Dec 22)
- Re: PCI compliance on a university network Crary, Greg (Dec 22)
- Re: PCI compliance on a university network Robert Ellison (Dec 22)
- Re: PCI compliance on a university network Scott Sweren (Dec 22)
- Re: PCI compliance on a university network Paul Kendall (Dec 22)
(Thread continues...)