Educause Security Discussion mailing list archives
Re: PCI and common access computers
From: Patricia Vendt <patricia.vendt () WRIGHT EDU>
Date: Thu, 25 Mar 2010 10:25:21 -0400
allan.boggs () wright edu angie.tipton () wright edu arthur.neff () wright edu becky.rodriguez () wright edu carol.vuckovich () wright edu cassie.dorsten () wright edu caye.elmore () wright edu chialung.cheng () wright edu dave.darr () wright edu debbie.kimpton () wright edu dena.kramer () wright edu emily.hamman () wright edu farest.wedig () wright edu glen.jones () wright edu jacqueline.robinson () wright edu jamie.norris () wright edu jeff.ulliman () wright edu jerry.black () wright edu jill.oroszi () wright edu joanne.jones () wright edu john.bale () wright edu john.mbagwu () wright edu john.siehl () wright edu john.white () wright edu karen.laycock () wright edu karin.duchesne () wright edu kathy.morris () wright edu keith.ralston () wright edu kevin.watson () wright edu linda.sykes () wright edu lisa.bleeke () wright edu lisa.may () wright edu lura.clapper () wright edu magdalena.chojna () wright edu matthew.filipic () wright edu nancy.pestian () wright edu nycia.papillion () wright edu pam.davis () wright edu rick.zech () wright edu robert.batson () wright edu roberta.boyd () wright edu roberta.donaldson () wright edu ryan.black () wright edu ryan.fendley () wright edu sandra.hunley () wright edu sara.hill () wright edu sheri.coyle () wright edu sommer.todd () wright edu steven.brown () wright edu steven.c.johnson () wright edu steven.sherbet () wright edu suganya.sundaram () wright edu suzy.zech () wright edu thomas.bazzoli () wright edu tina.heigel () wright edu tracey.mckellar () wright edu vicki.hilderbrand () wright edu vicky.davidson () wright edu wetona.walchner () wright edu william.polk () wright edu Patrick Laughran wrote:
The exact wording from requirement 9.1.2 of the current PCI DSS is "Restrict physical access to publicly accessible network jacks". This is taken from self-assessment questionairre "C". I'm not sure if this also is within scope for "B". -P ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Zach Jansen [zjanse20 () CALVIN EDU] Sent: Thursday, March 25, 2010 10:00 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI and common access computers Are you saying that because people could buy stuff with credit cards from these common access computers they need to be PCI compliant? This argument makes no sense to me, customer computers are not in scope for PCI and I believe these would have to be considered customer computers unless your employees are using them to store, process, or transmit transactions in the performance of their duties with the university. I would separate them so they don't have access to your internal card holder networks. Like any other machine in the world, they should have access to the external public facing side. However, I'm certainly no authority on PCI, you should confirm your setup with your merchant bank, or QSA. They should be able to answer that for you after learning all the details of your setup. Zach -- Zach Jansen Information Security Officer Calvin College Phone: 616.526.6776 Fax: 616.526.8550On 3/25/2010 at 9:45 AM, in message<08F275DE6ECE694B9239496100EFAB6F065B320D7F () IT-EXMBX1 ad jmu edu>, "Flynn, Gary" <flynngn () JMU EDU> wrote:It has been suggested that these types of computers that people could use to perform credit card transactions may be in-scope for PCI compliance requirements. Anyone heard anything like that? I don't see how it could ever work as you couldn't restrict the access to the credit card requesting sites because they could be anywhere. And you really couldn't reliably prevent people from typing them either.
Current thread:
- PCI and common access computers Flynn, Gary (Mar 25)
- <Possible follow-ups>
- Re: PCI and common access computers Chris Green (Mar 25)
- Re: PCI and common access computers Zach Jansen (Mar 25)
- Re: PCI and common access computers Patrick Laughran (Mar 25)
- Re: PCI and common access computers Ewing, Ashley (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Patricia Vendt (Mar 25)
- Re: PCI and common access computers Patricia Vendt (Mar 25)
- Re: PCI and common access computers Blake Penn (Mar 25)
- Re: PCI and common access computers Basgen, Brian (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)
- Re: PCI and common access computers Mayne, Jim (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Blake Penn (Mar 25)
- Re: PCI and common access computers John Ladwig (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
(Thread continues...)