Educause Security Discussion mailing list archives
Re: PCI and common access computers
From: Blake Penn <BPenn () TRUSTWAVE COM>
Date: Thu, 25 Mar 2010 09:36:52 -0500
That sounds spot on. The key question is whether the system is being used as part of a university business process in either a merchant or service provider context. If the answer is yes, then it is likely in scope, if no, then likely not. Blake Penn CISSP, MCSE, MCSD, MCDBA, QSA Senior Security Consultant Trustwave bpenn () trustwave com 678-777-1277 http://www.trustwave.com DISCLAIMER: The views represented in this message reflect the opinions of the author alone and do not neccessarily reflect the opinions of Trustwave. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ewing, Ashley Sent: Thursday, March 25, 2010 10:07 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI and common access computers I have been told by our QSA, Trustwave and auditors at PwC that they are in scope. An employee entering a credit card on a university owned machine going through a university network to the payment process on site or off site is in scope along with the path as part of a university payment process. Not an individual making a personal purchase, but the ticketing office, advancement/alumni, continuing studies programs, etc., taking customer credit cards via phone, fax or paper. We are testing the use of a small PCs that shares the keyboard, mouse and monitor with the primary desktop, and runs software that will lockdown the device to the payment processes only on an isolated network segment (completely separate from any wireless network access). This reduces the risk associated with email, web surfing and network sniffing. Feel free to contact me offline if you have any questions. J. Ashley Ewing, CISSP, CISA Information Security Officer Office of Information Technology (OIT) The University of Alabama A314 Gordon Palmer Hall (Box 870346) Tuscaloosa, AL 35487-0346 Office: 205-348-6524 Cell: 205-535-0335 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Flynn, Gary Sent: Thursday, March 25, 2010 8:46 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI and common access computers It has been suggested that these types of computers that people could use to perform credit card transactions may be in-scope for PCI compliance requirements. Anyone heard anything like that? I don't see how it could ever work as you couldn't restrict the access to the credit card requesting sites because they could be anywhere. And you really couldn't reliably prevent people from typing them either.
Current thread:
- PCI and common access computers Flynn, Gary (Mar 25)
- <Possible follow-ups>
- Re: PCI and common access computers Chris Green (Mar 25)
- Re: PCI and common access computers Zach Jansen (Mar 25)
- Re: PCI and common access computers Patrick Laughran (Mar 25)
- Re: PCI and common access computers Ewing, Ashley (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Patricia Vendt (Mar 25)
- Re: PCI and common access computers Patricia Vendt (Mar 25)
- Re: PCI and common access computers Blake Penn (Mar 25)
- Re: PCI and common access computers Basgen, Brian (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)
- Re: PCI and common access computers Mayne, Jim (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Blake Penn (Mar 25)
- Re: PCI and common access computers John Ladwig (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Ewing, Ashley (Mar 25)
- Re: PCI and common access computers Patrick Ouellette (Mar 25)
(Thread continues...)