Re: PCI and common access computers

[Patricia Vendt <patricia.vendt () WRIGHT EDU>]

allan.boggs () wright edu
angie.tipton () wright edu
arthur.neff () wright edu
becky.rodriguez () wright edu
carol.vuckovich () wright edu
cassie.dorsten () wright edu
caye.elmore () wright edu
chialung.cheng () wright edu
dave.darr () wright edu
debbie.kimpton () wright edu
dena.kramer () wright edu
emily.hamman () wright edu
farest.wedig () wright edu
glen.jones () wright edu
jacqueline.robinson () wright edu
jamie.norris () wright edu
jeff.ulliman () wright edu
jerry.black () wright edu
jill.oroszi () wright edu
joanne.jones () wright edu
john.bale () wright edu
john.mbagwu () wright edu
john.siehl () wright edu
john.white () wright edu
karen.laycock () wright edu
karin.duchesne () wright edu
kathy.morris () wright edu
keith.ralston () wright edu
kevin.watson () wright edu
linda.sykes () wright edu
lisa.bleeke () wright edu
lisa.may () wright edu
lura.clapper () wright edu
magdalena.chojna () wright edu
matthew.filipic () wright edu
nancy.pestian () wright edu
nycia.papillion () wright edu
pam.davis () wright edu
rick.zech () wright edu
robert.batson () wright edu
roberta.boyd () wright edu
roberta.donaldson () wright edu
ryan.black () wright edu
ryan.fendley () wright edu
sandra.hunley () wright edu
sara.hill () wright edu
sheri.coyle () wright edu
sommer.todd () wright edu
steven.brown () wright edu
steven.c.johnson () wright edu
steven.sherbet () wright edu
suganya.sundaram () wright edu
suzy.zech () wright edu
thomas.bazzoli () wright edu
tina.heigel () wright edu
tracey.mckellar () wright edu
vicki.hilderbrand () wright edu
vicky.davidson () wright edu
wetona.walchner () wright edu
william.polk () wright edu


Patrick Laughran wrote:
> The exact wording from requirement 9.1.2 of the current PCI DSS is "Restrict physical access to publicly accessible network jacks".  This is 
> taken from self-assessment questionairre "C".  I'm not sure if this also is within scope for "B".
>
>
> -P
>
> ________________________________________
> From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Zach Jansen 
> [zjanse20 () CALVIN EDU]
> Sent: Thursday, March 25, 2010 10:00 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] PCI and common access computers
>
> Are you saying that because people could buy stuff with credit cards from these common access computers they need to be 
> PCI compliant? This argument makes no sense to me, customer computers are not in scope for PCI and I believe these 
> would have to be considered customer computers unless your employees are using them to store, process, or transmit 
> transactions in the performance of their duties with the university.
>
> I would separate them so they don't have access to your internal card holder networks. Like any other machine in the 
> world, they should have access to the external public facing side.
>
> However, I'm certainly no authority on PCI, you should confirm your setup with your merchant bank, or QSA. They should 
> be able to answer that for you after learning all the details of your setup.
>
> Zach
>
>
>
>
>
> --
> Zach Jansen
> Information Security Officer
> Calvin College
> Phone: 616.526.6776
> Fax: 616.526.8550
>
> > > > On 3/25/2010 at 9:45 AM, in message
> <08F275DE6ECE694B9239496100EFAB6F065B320D7F () IT-EXMBX1 ad jmu edu>, "Flynn,
> Gary" <flynngn () JMU EDU> wrote:
> > It has been suggested that these types of computers that people could use
> > to perform credit card transactions may be in-scope for PCI compliance
> > requirements. Anyone heard anything like that? I don't see how it could
> > ever work as you couldn't restrict the access to the credit card requesting
> > sites because they could be anywhere. And you really couldn't reliably
> > prevent people from typing them either.