Re: PCI compliance question

["Eric C. Lukens" <eric.lukens () UNI EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- From my understanding (not a QSA, just working on our PCI project), I
would agree with Keven's assessment.  That said, in my opinion, if by
some chance some CC numbers were breached via your "One Card" system
*and* you take CC numbers via any other means anywhere in your
institution, the QSAs and PCI Council will gladly find a way to make you
responsible for the actions of others and fine you.  In that case, the
goal of the audit will be to find you non-complaint, and they
will--since the non-compliant things they find don't have to be in
anyway related to the breach itself.

As Visa's security officer has said, "...no compromised entity has yet
been found to be in compliance with PCI DSS at the time of a breach."
In my opinion, this either means everybody who has had a breach is not
following PCI DSS (and its the best security standard ever!), or the
system is intentionally designed to deflect security problems onto the
merchants and banks to protect the card brands.  Which do you think is
more likely?  Regardless, the QSAs talking about "safe-harbor" for being
compliant in the event of a breach are being a bit misleading.

I'm not saying you shouldn't follow PCI--you agree to do so if you take
credit cards.  But you'll have to do your own risk-assessment, maybe
with a QSA, maybe without one, on where you're actually going to draw
the lines in the sand--knowing that if something goes wrong, it will
always be blamed on your institution.

- -Eric

- -------- Original Message --------
Subject: Re: [SECURITY] PCI compliance question
From: Kevin Hayes <krhayes () OAKLAND EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU
Date: 7/8/2010 3:04 PM

> The best quote I have heard regarding PCI compliance is that "You are compliant until there is a breach; then you are 
> no longer compliant".
>
> While the well-known mantra of PCI is anything that stores, transmits, or processes PCI data, at some point you have 
> to define exactly that consists of.  What exactly *is* a PAN?  If I throw 16 random digits together and transmit it 
> across a network, does that mean it has to instantly become PCI compliant?
>
> I think Joel hit the nail on the head when he said that it ties right back to the Merchant ID.  If the *destination* 
> of whatever data is being swiped/entered is a system that is somehow tied back to your merchant ID, then you have PCI 
> scope to worry about.  Otherwise the entire planet would be covered in PCI scope; if I put my CC into a standalone 
> hotel door lock I should not expect my data to remain secure.  If I swipe it at a POS terminal for a purchase, I 
> should.
>
> It would still be a good security practice to make sure that *any* system that gets magstripe reads is set to purge 
> unknown data, but I have brought this subject up with our auditors and they were under the same impression that we 
> only need to worry about PCI scope where it involves a Merchant ID that is issued to our University.
>
> --Kevin
>
> Kevin Hayes
> Network Security Analyst
>
> 225 Dodge Hall
> Oakland University
> (248) 370-2546
>
>
> On Jul 8, 2010, at 3:26 PM, Sarazen, Daniel wrote:
>
> > His machines ARE accepting the CC date. According to the poster, it's his servers that will reject the data. That 
> > means the system may be transmitting and storing the CC data. 
> >
> > If we're talking strictly about compliance, than you're probably fine. If you're also talking about security, 
> > however, you may be in fact trapping and storing CC data. 
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel 
> > Rosenblatt
> > Sent: Thursday, July 08, 2010 3:08 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] PCI compliance question
> >
> > His machines are not accepting CCs .. they are accepting his own cards ... since they do not accept credit cards for 
> > those services, then despite the fact that 
> > people are putting the wrong card in the machine, they are not in PCI scope.
> >
> > Using your logic, any device with a card swipe would be in PCI scope, which is clearly not the case.
> >
> > To be charged with a violation, there has to be an account - no account, no violation.
> >
> > IMHO
> >
> > Joel
> >
> > --On Thursday, July 08, 2010 3:01 PM -0400 "Lazarus, Carolann" <lazarus () buffalo edu> wrote:
> >
> > > My issue with this is that he said the machines transmit the CC to the server.  I'm not an expert, but I believe 
> > > any transmission of CC falls under PCI, even
> > > if the transaction is rejected.  The transmission has to be secure.  IMO
> > >
> > > Carolann G Lazarus, CISA
> > > 716-829-6947
> > > lazarus () buffalo edu
> > >
> > >
> > > -----Original Message-----
> > > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel 
> > > Rosenblatt
> > > Sent: Thursday, July 08, 2010 2:58 PM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: Re: [SECURITY] PCI compliance question
> > >
> > > I am not a PCI expert, but I have been up to my eye balls in PCI stuff for a while :-)
> > >
> > > If you are not accepting CC, then the fact that the miss guided person sticks his card in your device does not put 
> > > that device in scope for PCI.
> > >
> > > If someone were to swipe their Visa card in your controlled access door swipes, and this were the case, then every 
> > > door on your campus would suddenly become
> > > in  scope for PCI.
> > >
> > > The ultimate responsibility for PCI belongs to the organization that owns the MID for the account that will receive 
> > > the income from that transaction - since
> > > there is no MID (Merchant ID) attached to your vending machines, there can be no PCI compliance.
> > >
> > > In my opinion, I believe, and any other disclaimer :-)
> > >
> > > My 2 cents
> > >
> > > Joel Rosenblatt
> > >
> > > Joel Rosenblatt, Manager Network & Computer Security
> > > Columbia Information Security Office (CISO)
> > > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> > > http://www.columbia.edu/~joel
> > >
> > >
> > > --On Thursday, July 08, 2010 2:46 PM -0400 "Smith, Bob" <smithrj () LONGWOOD EDU> wrote:
> > >
> > > > We are struggling with a PCI compliance issue and have been asked to query this list.  We have vending machines 
> > > > (drink, snack, laundry, etc.) on our network
> > > > that are being setup for use with our university "one card" system.  The readers on these machines will transmit 
> > > > and process our cards just fine.  However,
> > > > when someone uses a CC it is transmitted to the card system/server, but the system ignores it and does not process 
> > > > the transaction.
> > > >
> > > > The big question:  are the vending machines considered in-scope for PCI?  If so, that means a lot of other things 
> > > > will be too.
> > > >
> > > > Thanks.
> > > >
> > > > Bob Smith
> > > > AVP IITS & Information Security Officer
> > > > Longwood University
> > >
> > >
> > >
> > > Joel Rosenblatt, Manager Network & Computer Security
> > > Columbia Information Security Office (CISO)
> > > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> > > http://www.columbia.edu/~joel
> >
> >
> >
> > Joel Rosenblatt, Manager Network & Computer Security
> > Columbia Information Security Office (CISO)
> > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> > http://www.columbia.edu/~joel

- -- 
Eric C. Lukens
IT Security Policy and Risk Assessment Analyst
ITS-Network Services
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
319-273-7434
http://www.uni.edu/elukens/
http://weblogs.uni.edu/elukens/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkw2R3oACgkQN+w4PqsMNp1YfACcDj3Ajh65r8ObACE9JmsNWCCK
E/cAn1oj2urPoDhVwyj96Y2/6IvCUL3R
=IdsL
-----END PGP SIGNATURE-----