Educause Security Discussion mailing list archives
Re: PCI compliance question
From: "Eric C. Lukens" <eric.lukens () UNI EDU>
Date: Thu, 8 Jul 2010 16:47:38 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - From my understanding (not a QSA, just working on our PCI project), I would agree with Keven's assessment. That said, in my opinion, if by some chance some CC numbers were breached via your "One Card" system *and* you take CC numbers via any other means anywhere in your institution, the QSAs and PCI Council will gladly find a way to make you responsible for the actions of others and fine you. In that case, the goal of the audit will be to find you non-complaint, and they will--since the non-compliant things they find don't have to be in anyway related to the breach itself. As Visa's security officer has said, "...no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach." In my opinion, this either means everybody who has had a breach is not following PCI DSS (and its the best security standard ever!), or the system is intentionally designed to deflect security problems onto the merchants and banks to protect the card brands. Which do you think is more likely? Regardless, the QSAs talking about "safe-harbor" for being compliant in the event of a breach are being a bit misleading. I'm not saying you shouldn't follow PCI--you agree to do so if you take credit cards. But you'll have to do your own risk-assessment, maybe with a QSA, maybe without one, on where you're actually going to draw the lines in the sand--knowing that if something goes wrong, it will always be blamed on your institution. - -Eric - -------- Original Message -------- Subject: Re: [SECURITY] PCI compliance question From: Kevin Hayes <krhayes () OAKLAND EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Date: 7/8/2010 3:04 PM
The best quote I have heard regarding PCI compliance is that "You are compliant until there is a breach; then you are no longer compliant". While the well-known mantra of PCI is anything that stores, transmits, or processes PCI data, at some point you have to define exactly that consists of. What exactly *is* a PAN? If I throw 16 random digits together and transmit it across a network, does that mean it has to instantly become PCI compliant? I think Joel hit the nail on the head when he said that it ties right back to the Merchant ID. If the *destination* of whatever data is being swiped/entered is a system that is somehow tied back to your merchant ID, then you have PCI scope to worry about. Otherwise the entire planet would be covered in PCI scope; if I put my CC into a standalone hotel door lock I should not expect my data to remain secure. If I swipe it at a POS terminal for a purchase, I should. It would still be a good security practice to make sure that *any* system that gets magstripe reads is set to purge unknown data, but I have brought this subject up with our auditors and they were under the same impression that we only need to worry about PCI scope where it involves a Merchant ID that is issued to our University. --Kevin Kevin Hayes Network Security Analyst 225 Dodge Hall Oakland University (248) 370-2546 On Jul 8, 2010, at 3:26 PM, Sarazen, Daniel wrote:His machines ARE accepting the CC date. According to the poster, it's his servers that will reject the data. That means the system may be transmitting and storing the CC data. If we're talking strictly about compliance, than you're probably fine. If you're also talking about security, however, you may be in fact trapping and storing CC data. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel Rosenblatt Sent: Thursday, July 08, 2010 3:08 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI compliance question His machines are not accepting CCs .. they are accepting his own cards ... since they do not accept credit cards for those services, then despite the fact that people are putting the wrong card in the machine, they are not in PCI scope. Using your logic, any device with a card swipe would be in PCI scope, which is clearly not the case. To be charged with a violation, there has to be an account - no account, no violation. IMHO Joel --On Thursday, July 08, 2010 3:01 PM -0400 "Lazarus, Carolann" <lazarus () buffalo edu> wrote:My issue with this is that he said the machines transmit the CC to the server. I'm not an expert, but I believe any transmission of CC falls under PCI, even if the transaction is rejected. The transmission has to be secure. IMO Carolann G Lazarus, CISA 716-829-6947 lazarus () buffalo edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel Rosenblatt Sent: Thursday, July 08, 2010 2:58 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI compliance question I am not a PCI expert, but I have been up to my eye balls in PCI stuff for a while :-) If you are not accepting CC, then the fact that the miss guided person sticks his card in your device does not put that device in scope for PCI. If someone were to swipe their Visa card in your controlled access door swipes, and this were the case, then every door on your campus would suddenly become in scope for PCI. The ultimate responsibility for PCI belongs to the organization that owns the MID for the account that will receive the income from that transaction - since there is no MID (Merchant ID) attached to your vending machines, there can be no PCI compliance. In my opinion, I believe, and any other disclaimer :-) My 2 cents Joel Rosenblatt Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel --On Thursday, July 08, 2010 2:46 PM -0400 "Smith, Bob" <smithrj () LONGWOOD EDU> wrote:We are struggling with a PCI compliance issue and have been asked to query this list. We have vending machines (drink, snack, laundry, etc.) on our network that are being setup for use with our university "one card" system. The readers on these machines will transmit and process our cards just fine. However, when someone uses a CC it is transmitted to the card system/server, but the system ignores it and does not process the transaction. The big question: are the vending machines considered in-scope for PCI? If so, that means a lot of other things will be too. Thanks. Bob Smith AVP IITS & Information Security Officer Longwood UniversityJoel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joelJoel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
- -- Eric C. Lukens IT Security Policy and Risk Assessment Analyst ITS-Network Services Curris Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121 319-273-7434 http://www.uni.edu/elukens/ http://weblogs.uni.edu/elukens/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkw2R3oACgkQN+w4PqsMNp1YfACcDj3Ajh65r8ObACE9JmsNWCCK E/cAn1oj2urPoDhVwyj96Y2/6IvCUL3R =IdsL -----END PGP SIGNATURE-----
Current thread:
- Re: PCI compliance question, (continued)
- Re: PCI compliance question Michael Sana (Jul 08)
- Re: PCI compliance question Hudson, Edward (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Lazarus, Carolann (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Michael Benedetto (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Sarazen, Daniel (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Kevin Hayes (Jul 08)
- Re: PCI compliance question Eric C. Lukens (Jul 08)
- Re: PCI compliance question Lazarus, Carolann (Jul 08)
- Re: PCI compliance question Jeff Kell (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Jon Hanny (Jul 08)
- Re: PCI compliance question Marley, Tim (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Paul Kendall (Jul 09)
- Re: PCI compliance question Joel Rosenblatt (Jul 09)