Educause Security Discussion mailing list archives
Re: PCI and common access computers
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Thu, 25 Mar 2010 07:42:32 -0700
I think Eric has described this very well. I'm curious what steps and costs institutions have incurred to comply with this particular scenario. For multi-campus institutions, this particular requirement is quite onerous and challenging. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College Office: 520-206-4873
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric C. Lukens Sent: Thursday, March 25, 2010 7:09 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI and common access computers -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've asked that question too and it seems to boil down to the computer's purpose for being located where it is and what it is intended to be used for. As always, the QSA that audits you is entitled to their own opinion. If the machine is purposefully located and intended for people to enter their CC on it, its definitely in-scope. If the machine is touted by your employees as being capable of online/electronic purchases for public use (public here includes anyone you'd sell services/products to), its almost certainly in-scope. If the machine is in a location where people are highly-likely to think the computer is there for their online/electronic purchases, its probably in-scope. Think of a public computer right next to a ticket counter. People see the long line and think, oh, I'll just go take care of it online instead. If the machine is just there for people to use for whatever, and somebody decides, "Hey, I want to buy stuff online." Then its probably not in-scope, but you should still take some measures to protect security, otherwise you'd probably still be called out on a breach. I got the impression from our QSA that if there are "public" computers that still require username/password to get into, and they're located all over campus for general use, those would not likely be considered an in-scope system--just like computer labs. That said, getting a QSA to say anything definitively is like trying to nail Jello to the ceiling. - -Eric - -------- Original Message -------- Subject: [SECURITY] PCI and common access computers From: Flynn, Gary <flynngn () JMU EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Date: 3/25/10 8:45 AMIt has been suggested that these types of computers that people coulduseto perform credit card transactions may be in-scope for PCIcompliancerequirements. Anyone heard anything like that? I don't see how itcouldever work as you couldn't restrict the access to the credit cardrequestingsites because they could be anywhere. And you really couldn'treliablyprevent people from typing them either.- -- Eric C. Lukens IT Security Policy and Risk Assessment Analyst ITS-Network Services Curris Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121 319-273-7434 http://www.uni.edu/elukens/ http://weblogs.uni.edu/elukens/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkurbnoACgkQN+w4PqsMNp0sWgCfZhCp5GWMNXzUZvVR1nPDgdds 8+AAnjGaJrYO8m289IWhR05fGNvQmqZ5 =2Ohs -----END PGP SIGNATURE-----
Current thread:
- PCI and common access computers Flynn, Gary (Mar 25)
- <Possible follow-ups>
- Re: PCI and common access computers Chris Green (Mar 25)
- Re: PCI and common access computers Zach Jansen (Mar 25)
- Re: PCI and common access computers Patrick Laughran (Mar 25)
- Re: PCI and common access computers Ewing, Ashley (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Patricia Vendt (Mar 25)
- Re: PCI and common access computers Patricia Vendt (Mar 25)
- Re: PCI and common access computers Blake Penn (Mar 25)
- Re: PCI and common access computers Basgen, Brian (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)
- Re: PCI and common access computers Mayne, Jim (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Blake Penn (Mar 25)
- Re: PCI and common access computers John Ladwig (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Ewing, Ashley (Mar 25)
- Re: PCI and common access computers Patrick Ouellette (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)