Re: PCI and common access computers

["Basgen, Brian" <bbasgen () PIMA EDU>]

 I think Eric has described this very well.

 I'm curious what steps and costs institutions have incurred to comply with this particular scenario. For multi-campus 
institutions, this particular requirement is quite onerous and challenging. 

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
Office: 520-206-4873


> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric C. Lukens
> Sent: Thursday, March 25, 2010 7:09 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] PCI and common access computers
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I've asked that question too and it seems to boil down to the
> computer's
> purpose for being located where it is and what it is intended to be
> used
> for. As always, the QSA that audits you is entitled to their own
> opinion.
>
> If the machine is purposefully located and intended for people to enter
> their CC on it, its definitely in-scope.
>
> If the machine is touted by your employees as being capable of
> online/electronic purchases for public use (public here includes anyone
> you'd sell services/products to), its almost certainly in-scope.
>
> If the machine is in a location where people are highly-likely to think
> the computer is there for their online/electronic purchases, its
> probably in-scope.  Think of a public computer right next to a ticket
> counter.  People see the long line and think, oh, I'll just go take
> care
> of it online instead.
>
> If the machine is just there for people to use for whatever, and
> somebody decides, "Hey, I want to buy stuff online." Then its probably
> not in-scope, but you should still take some measures to protect
> security, otherwise you'd probably still be called out on a breach.
>
> I got the impression from our QSA that if there are "public" computers
> that still require username/password to get into, and they're located
> all over campus for general use, those would not likely be considered
> an
> in-scope system--just like computer labs.
>
> That said, getting a QSA to say anything definitively is like trying to
> nail Jello to the ceiling.
>
> - -Eric
>
> - -------- Original Message  --------
> Subject: [SECURITY] PCI and common access computers
> From: Flynn, Gary <flynngn () JMU EDU>
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Date: 3/25/10 8:45 AM
>
> > It has been suggested that these types of computers that people could
> use
> > to perform credit card transactions may be in-scope for PCI
> compliance
> > requirements. Anyone heard anything like that? I don't see how it
> could
> > ever work as you couldn't restrict the access to the credit card
> requesting
> > sites because they could be anywhere. And you really couldn't
> reliably
> > prevent people from typing them either.
>
> - --
> Eric C. Lukens
> IT Security Policy and Risk Assessment Analyst
> ITS-Network Services
> Curris Business Building 15
> University of Northern Iowa
> Cedar Falls, IA 50614-0121
> 319-273-7434
> http://www.uni.edu/elukens/
> http://weblogs.uni.edu/elukens/
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.10 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkurbnoACgkQN+w4PqsMNp0sWgCfZhCp5GWMNXzUZvVR1nPDgdds
> 8+AAnjGaJrYO8m289IWhR05fGNvQmqZ5
> =2Ohs
> -----END PGP SIGNATURE-----