Re: PCI and common access computers

[Patricia Vendt <patricia.vendt () WRIGHT EDU>]

Apologies for the missent message...

Eric C. Lukens wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I should add to my post, if your employees are handling a CC as part of
> their job duties, whatever they touch is in-scope.  I was thinking more
> of the incidental use by employees/patrons.
>
> - -Eric
>
> - -------- Original Message  --------
> Subject: Re: [SECURITY] PCI and common access computers
> From: Eric C. Lukens <eric.lukens () UNI EDU>
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Date: 3/25/10 9:08 AM
>
> > I've asked that question too and it seems to boil down to the computer's
> > purpose for being located where it is and what it is intended to be used
> > for. As always, the QSA that audits you is entitled to their own opinion.
> >
> > If the machine is purposefully located and intended for people to enter
> > their CC on it, its definitely in-scope.
> >
> > If the machine is touted by your employees as being capable of
> > online/electronic purchases for public use (public here includes anyone
> > you'd sell services/products to), its almost certainly in-scope.
> >
> > If the machine is in a location where people are highly-likely to think
> > the computer is there for their online/electronic purchases, its
> > probably in-scope.  Think of a public computer right next to a ticket
> > counter.  People see the long line and think, oh, I'll just go take care
> > of it online instead.
> >
> > If the machine is just there for people to use for whatever, and
> > somebody decides, "Hey, I want to buy stuff online." Then its probably
> > not in-scope, but you should still take some measures to protect
> > security, otherwise you'd probably still be called out on a breach.
> >
> > I got the impression from our QSA that if there are "public" computers
> > that still require username/password to get into, and they're located
> > all over campus for general use, those would not likely be considered an
> > in-scope system--just like computer labs.
> >
> > That said, getting a QSA to say anything definitively is like trying to
> > nail Jello to the ceiling.
> >
> > -Eric
> >
> > -------- Original Message  --------
> > Subject: [SECURITY] PCI and common access computers
> > From: Flynn, Gary <flynngn () JMU EDU>
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Date: 3/25/10 8:45 AM
> >
> > > It has been suggested that these types of computers that people could use
> > > to perform credit card transactions may be in-scope for PCI compliance
> > > requirements. Anyone heard anything like that? I don't see how it could
> > > ever work as you couldn't restrict the access to the credit card requesting
> > > sites because they could be anywhere. And you really couldn't reliably
> > > prevent people from typing them either.
>
> - --
> Eric C. Lukens
> IT Security Policy and Risk Assessment Analyst
> ITS-Network Services
> Curris Business Building 15
> University of Northern Iowa
> Cedar Falls, IA 50614-0121
> 319-273-7434
> http://www.uni.edu/elukens/
> http://weblogs.uni.edu/elukens/
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.10 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkurb34ACgkQN+w4PqsMNp3kzwCfSzIXhD8/831ibEWgpIiwQNn1
> 93YAnipO9zc7Yh6LG3Yg06EuBGEHqHVB
> =D2pF
> -----END PGP SIGNATURE-----