Re: Budget for PCI DSS SAQ D for Bookstore Operations

[John Ladwig <John.Ladwig () CSU MNSCU EDU>]

A strict reading of #2 could imply that A/V update systems, backup servers and WiSUS/SCM would need to be located 
entirely within the Cardholder Data Environment in order to retain SAQ-C status.  

Has anyone gotten a recent QSA opinion one way or the other on that issue?

   -jml

> > > "Bazeley, Joseph E." <bazeleje () MUOHIO EDU> 2011-08-02 13:38 >>>
Why is it that I never enjoy the days where I learn something new about PCI? ;)

> From the PCI docs at https://www.pcisecuritystandards.org/documents/pci_dss_saq_instr_guide_v2.0.pdf, here are the 6 
> things you need to confirm to be SAQ C:

"1. Your company has a payment application system and an Internet connection on the same device and/or same local area 
network (LAN);
2. The payment application system/Internet device is not connected to any other systems within your environment (this 
can be achieved via network segmentation to isolate payment application system/Internet device from all other systems);
3. Your company store is not connected to other store locations, and any LAN is for a single store only;
4. Your company retains only paper reports or paper copies of receipts;
5. Your company does not store cardholder data in electronic format; and
6. Your company's payment application software vendor uses secure techniques to provide remote support to your payment 
application system."

The proxy server Joel mentioned would violate #2, which would push you into SAQ D.

Joe

-----Original Message-----
From: Joel Rosenblatt [mailto:joel () columbia edu] 
Sent: Tuesday, August 02, 2011 2:08 PM
To: The EDUCAUSE Security Constituent Group Listserv
Cc: Bazeley, Joseph E.
Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations

SAQ D does not only mean you are storing credit cards .. it also applies when you have a "complicated network" - even 
if none of the machines are storing 
credit cards

A complicated network means that machines are connected together in some way - for example, if you are using a proxy 
server for the traffic leaving your edge

I'm not an ISV, but I've played one on TV :-)

Joel

--On Tuesday, August 02, 2011 2:01 PM -0400 "Bazeley, Joseph E." <bazeleje () MUOHIO EDU> wrote:

> Can you get them to use PCI DSS SAQ C instead?  SAQ D means that they're storing credit card numbers, which will make 
> their PCI compliance effort require
> more resources and increases the likelihood of a breach leading to exposed credit card numbers and the associated 
> notification.  If they don't have an
> extremely good reason to store those credit card numbers (and it needs to provide an associated benefit that 
> outweighs the cost from doing so), they should
> quit storing them.
>
> Regards,
> Joe
>
> Joe Bazeley
> Information Security Officer
> Miami University
> Hoyt Hall 314
> 513-529-9252
>
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () listserv educause edu] On Behalf Of Self, 
> Dennis
> Sent: Tuesday, August 02, 2011 1:56 PM
> To: SECURITY () listserv educause edu 
> Subject: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations
>
> Security Friends,
>
> Have you developed a budget for PCI DSS SAQ D compliance for your bookstore operation in the recent past?  For my 
> institution, the bookstore may be the only
> operation that cannot be reasonably remediated to qualify for SAQ A or B.  If you are willing to share your budget, 
> please respond offline.  Also please let
> me know if I may identify you and your institution to our administration.  Lastly, if you reverted back in technology 
> to dial terminals as a solution, please
> let me know.
>
> Kind regards,
>
> Dennis Self
> Director, IT Security & Compliance
> Technology Services
> Samford University
> (205) 726-2692



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel 
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3