Re: Budget for PCI DSS SAQ D for Bookstore Operations

[Joel Rosenblatt <joel () COLUMBIA EDU>]

There is also something that they call a "one hop rule" .. so, for example, if you get your updates from Microsoft directly (automatic update) then your OK, or 
if the systems you are getting your service from are NOT maintained by you (DNS for example), then your OK (the idea being that the chances of two different 
organizations screwing up at the same time is less probable)

But, if your running your own AD and the machines are connecting to your AD server, then you need to fill out a SAQ D

When in doubt, please consult with your ISV ... and remember, you can shop around for one that agrees with you :-)

Joel

--On Tuesday, August 02, 2011 2:27 PM -0500 John Ladwig <John.Ladwig () CSU MNSCU EDU> wrote:

> A strict reading of #2 could imply that A/V update systems, backup servers and WiSUS/SCM would need to be located 
> entirely within the Cardholder Data
> Environment in order to retain SAQ-C status.
>
> Has anyone gotten a recent QSA opinion one way or the other on that issue?
>
>    -jml
>
> > > > "Bazeley, Joseph E." <bazeleje () MUOHIO EDU> 2011-08-02 13:38 >>>
> Why is it that I never enjoy the days where I learn something new about PCI? ;)
>
> From the PCI docs at https://www.pcisecuritystandards.org/documents/pci_dss_saq_instr_guide_v2.0.pdf, here are the 6 
> things you need to confirm to be SAQ C:
>
> "1. Your company has a payment application system and an Internet connection on the same device and/or same local area 
> network (LAN);
> 2. The payment application system/Internet device is not connected to any other systems within your environment (this 
> can be achieved via network
> segmentation to isolate payment application system/Internet device from all other systems); 3. Your company store is 
> not connected to other store locations,
> and any LAN is for a single store only;
> 4. Your company retains only paper reports or paper copies of receipts;
> 5. Your company does not store cardholder data in electronic format; and
> 6. Your company's payment application software vendor uses secure techniques to provide remote support to your payment 
> application system."
>
> The proxy server Joel mentioned would violate #2, which would push you into SAQ D.
>
> Joe
>
> -----Original Message-----
> From: Joel Rosenblatt [mailto:joel () columbia edu]
> Sent: Tuesday, August 02, 2011 2:08 PM
> To: The EDUCAUSE Security Constituent Group Listserv
> Cc: Bazeley, Joseph E.
> Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations
>
> SAQ D does not only mean you are storing credit cards .. it also applies when you have a "complicated network" - even 
> if none of the machines are storing
> credit cards
>
> A complicated network means that machines are connected together in some way - for example, if you are using a proxy 
> server for the traffic leaving your edge
>
> I'm not an ISV, but I've played one on TV :-)
>
> Joel
>
> --On Tuesday, August 02, 2011 2:01 PM -0400 "Bazeley, Joseph E." <bazeleje () MUOHIO EDU> wrote:
>
> > Can you get them to use PCI DSS SAQ C instead?  SAQ D means that they're storing credit card numbers, which will make 
> > their PCI compliance effort require
> > more resources and increases the likelihood of a breach leading to exposed credit card numbers and the associated 
> > notification.  If they don't have an
> > extremely good reason to store those credit card numbers (and it needs to provide an associated benefit that outweighs 
> > the cost from doing so), they should
> > quit storing them.
> >
> > Regards,
> > Joe
> >
> > Joe Bazeley
> > Information Security Officer
> > Miami University
> > Hoyt Hall 314
> > 513-529-9252
> >
> > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () listserv educause edu] On Behalf Of Self, 
> > Dennis
> > Sent: Tuesday, August 02, 2011 1:56 PM
> > To: SECURITY () listserv educause edu
> > Subject: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations
> >
> > Security Friends,
> >
> > Have you developed a budget for PCI DSS SAQ D compliance for your bookstore operation in the recent past?  For my 
> > institution, the bookstore may be the only
> > operation that cannot be reasonably remediated to qualify for SAQ A or B.  If you are willing to share your budget, 
> > please respond offline.  Also please let
> > me know if I may identify you and your institution to our administration.  Lastly, if you reverted back in technology 
> > to dial terminals as a solution, please
> > let me know.
> >
> > Kind regards,
> >
> > Dennis Self
> > Director, IT Security & Compliance
> > Technology Services
> > Samford University
> > (205) 726-2692
>
>
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
> Public PGP key
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3