Educause Security Discussion mailing list archives
Re: PCI and common access computers
From: Patricia Vendt <patricia.vendt () WRIGHT EDU>
Date: Thu, 25 Mar 2010 10:26:05 -0400
Apologies for the missent message... Eric C. Lukens wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I should add to my post, if your employees are handling a CC as part of their job duties, whatever they touch is in-scope. I was thinking more of the incidental use by employees/patrons. - -Eric - -------- Original Message -------- Subject: Re: [SECURITY] PCI and common access computers From: Eric C. Lukens <eric.lukens () UNI EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Date: 3/25/10 9:08 AMI've asked that question too and it seems to boil down to the computer's purpose for being located where it is and what it is intended to be used for. As always, the QSA that audits you is entitled to their own opinion. If the machine is purposefully located and intended for people to enter their CC on it, its definitely in-scope. If the machine is touted by your employees as being capable of online/electronic purchases for public use (public here includes anyone you'd sell services/products to), its almost certainly in-scope. If the machine is in a location where people are highly-likely to think the computer is there for their online/electronic purchases, its probably in-scope. Think of a public computer right next to a ticket counter. People see the long line and think, oh, I'll just go take care of it online instead. If the machine is just there for people to use for whatever, and somebody decides, "Hey, I want to buy stuff online." Then its probably not in-scope, but you should still take some measures to protect security, otherwise you'd probably still be called out on a breach. I got the impression from our QSA that if there are "public" computers that still require username/password to get into, and they're located all over campus for general use, those would not likely be considered an in-scope system--just like computer labs. That said, getting a QSA to say anything definitively is like trying to nail Jello to the ceiling. -Eric -------- Original Message -------- Subject: [SECURITY] PCI and common access computers From: Flynn, Gary <flynngn () JMU EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Date: 3/25/10 8:45 AMIt has been suggested that these types of computers that people could use to perform credit card transactions may be in-scope for PCI compliance requirements. Anyone heard anything like that? I don't see how it could ever work as you couldn't restrict the access to the credit card requesting sites because they could be anywhere. And you really couldn't reliably prevent people from typing them either.- -- Eric C. Lukens IT Security Policy and Risk Assessment Analyst ITS-Network Services Curris Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121 319-273-7434 http://www.uni.edu/elukens/ http://weblogs.uni.edu/elukens/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkurb34ACgkQN+w4PqsMNp3kzwCfSzIXhD8/831ibEWgpIiwQNn1 93YAnipO9zc7Yh6LG3Yg06EuBGEHqHVB =D2pF -----END PGP SIGNATURE-----
Current thread:
- PCI and common access computers Flynn, Gary (Mar 25)
- <Possible follow-ups>
- Re: PCI and common access computers Chris Green (Mar 25)
- Re: PCI and common access computers Zach Jansen (Mar 25)
- Re: PCI and common access computers Patrick Laughran (Mar 25)
- Re: PCI and common access computers Ewing, Ashley (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Patricia Vendt (Mar 25)
- Re: PCI and common access computers Patricia Vendt (Mar 25)
- Re: PCI and common access computers Blake Penn (Mar 25)
- Re: PCI and common access computers Basgen, Brian (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)
- Re: PCI and common access computers Mayne, Jim (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Blake Penn (Mar 25)
- Re: PCI and common access computers John Ladwig (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Ewing, Ashley (Mar 25)
(Thread continues...)