Educause Security Discussion mailing list archives
Re: PCI and common access computers
From: "Flynn, Gary" <flynngn () JMU EDU>
Date: Thu, 25 Mar 2010 11:29:49 -0400
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Zach Jansen Sent: Thursday, March 25, 2010 10:01 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI and common access computers Are you saying that because people could buy stuff with credit cards from these common access computers they need to be PCI compliant? This argument makes no sense to me, customer computers are not in scope for PCI
These would not be customer owned computers. These would be university owned computers made available to customers (students, staff, faculty, public, whomever depending on purpose and access requirements). and I believe these would have to be considered customer computers
unless your employees are using them to store, process, or transmit transactions in the performance of their duties with the university. I would separate them so they don't have access to your internal card holder networks. Like any other machine in the world, they should have access to the external public facing side. However, I'm certainly no authority on PCI, you should confirm your setup with your merchant bank, or QSA. They should be able to answer that for you after learning all the details of your setup. Zach -- Zach Jansen Information Security Officer Calvin College Phone: 616.526.6776 Fax: 616.526.8550On 3/25/2010 at 9:45 AM, in message<08F275DE6ECE694B9239496100EFAB6F065B320D7F () IT-EXMBX1 ad jmu edu>, "Flynn, Gary" <flynngn () JMU EDU> wrote:It has been suggested that these types of computers that people coulduseto perform credit card transactions may be in-scope for PCIcompliancerequirements. Anyone heard anything like that? I don't see how itcouldever work as you couldn't restrict the access to the credit cardrequestingsites because they could be anywhere. And you really couldn'treliablyprevent people from typing them either.
Current thread:
- Re: PCI and common access computers, (continued)
- Re: PCI and common access computers Chris Green (Mar 25)
- Re: PCI and common access computers Zach Jansen (Mar 25)
- Re: PCI and common access computers Patrick Laughran (Mar 25)
- Re: PCI and common access computers Ewing, Ashley (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Patricia Vendt (Mar 25)
- Re: PCI and common access computers Patricia Vendt (Mar 25)
- Re: PCI and common access computers Blake Penn (Mar 25)
- Re: PCI and common access computers Basgen, Brian (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)
- Re: PCI and common access computers Mayne, Jim (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Blake Penn (Mar 25)
- Re: PCI and common access computers John Ladwig (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Ewing, Ashley (Mar 25)
- Re: PCI and common access computers Patrick Ouellette (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)