Educause Security Discussion mailing list archives
Re: PCI compliance question
From: Paul Kendall <PKendall () ACCUDATASYSTEMS COM>
Date: Fri, 9 Jul 2010 09:22:39 -0500
"Document, publish, and stick to the documentation..." I would also add "Make certain you can prove you are following your documentation." QSAs generally look at five distinct items for the individual requirements of the DSS: 1. Is it documented? (Review policies and procedures) 2. Do people know it is documented? (Interview users) 3. Do the rules/configurations/settings match the documentation? (Review the configurations/rules/settings) 4. Is it being actively practiced? (Review the logs, review the formalized processes, step through an actual case, etc.) 5. Does it meet the intent of the requirement? (Compare to best practices, industry standards, PCI mandates, etc.) If you can meet all five of these criteria, then you are generally considered to be compliant with that requirement. The PCI Council has begun to more carefully define what is meant by each of the requirements, and to provide a specific audit approach that is to be used for validating each one. Most require several levels of validation, as shown above. Others require a subset of the ones shown above, depending upon the nature of the requirement. Paul ======================================== Paul L. Kendall, CGEIT, CHS-III, DHS-CVI, CISM, CISSP, CSSLP PCI Qualified Security Assessor Senior Consultant Accudata Systems, Inc. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Daniel Robert Adinolfi Sent: Friday, July 09, 2010 8:30 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI compliance question On Jul 08, 2010, at 14:57, Joel Rosenblatt wrote:
If you are not accepting CC, then the fact that the miss guided person sticks his card in your device does not put that device in scope for PCI.
Our read on this issue mirrors Joel's. Though, I agree with another poster (sorry, I lost that message) who said they put signs on the vending machines that say "This machine will not accept credit cards." Based on our fun experience with a QSA during a gap analysis we asked for, documentation is really, really important. If something is documented, it exists. If it is not documented, it does not exist to an auditor. Therefore, document where you take credit cards and where you do not. If a unit has a card reader, their PCI documentation should include that fact and describe that that they do not write down the card number/accept them on post-it notes on their front door/allow someone to write it down in magic marker on an office plant/etc. (It's probably easier to say, "We ONLY accept cards in the following ways".) Make these policies clear to the public, and you have gone a long way to limit your exposure. Document, publish, and stick to the documentation. So, back to the question, if you put signs on your vending machines that say "Don't be silly and use a credit card here. We'll laugh at you.", document that in your Big Book o' PCI Documentation, and make sure your application cleans our any errant CC data that might touch it, you don't need to consider that system in-scope. My $0.04. (inflation) -Dan
Current thread:
- Re: PCI compliance question, (continued)
- Re: PCI compliance question Jeff Kell (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Jon Hanny (Jul 08)
- Re: PCI compliance question Marley, Tim (Jul 08)
- Re: PCI compliance question Michael Benedetto (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Sam Hooker (Jul 08)
- Re: PCI compliance question Daniel Robert Adinolfi (Jul 09)
- Re: PCI compliance question Paul Kendall (Jul 09)
- Re: PCI compliance question Joel Rosenblatt (Jul 09)
- Re: PCI compliance question Paul Kendall (Jul 09)
- Re: PCI compliance question Kelley Bogart (Jul 08)
- Re: PCI compliance question Paul Kendall (Jul 08)
- W2 forms online Barrera, Connie (Jul 09)
- Presenting annual brief summaries Plesco, Todd (Jul 16)
- Re: Presenting annual brief summaries Ben Woelk (Jul 16)