Educause Security Discussion mailing list archives

Re: Budget for PCI DSS SAQ D for Bookstore Operations

From: "Henninger, Craig" <chenninger () CAMPUSGUARD COM>
Date: Wed, 3 Aug 2011 08:06:22 -0400

In most cases, it is very difficult for merchants in a higher ed environment to qualify for SAQC. This SAQ was written 
for IP based POS devices and standalone workstations that run some form of POS software. If you have systems on a LAN 
that communicate for domain login, AV signatures, etc. Then you need to use SAQ D. 

Craig


On Aug 2, 2011, at 10:21 PM, "John Ladwig" <John.Ladwig () CSU MNSCU EDU> wrote:

In my experience w/ level 4 merchants and a mix of sizes of acquiring banks, the banks  won't help directly, but *if* 
they have a preferred QSA firm, the QSAs may be able to help.

But it'll cost you, the merchant.

    -jml


-----Original Message-----
From: Nick Lewis
Sent: 2011-08-02 20:46:26
To: Nick Lewis;The EDUCAUSE Security Constituent Group Listserv
Cc:
Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations


You may also want to talk to your acquiring bank to see if they can offer
you any advice if you don't have a QSA. Your acquiring bank may help you
work through scoping and if SAQ C or D in the environment.

Nick

-----Original Message-----
From: Joel Rosenblatt
Sent: Tuesday, August 02, 2011 2:58 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations

There is also something that they call a "one hop rule" .. so, for example,
if you get your updates from Microsoft directly (automatic update) then your
OK, or
if the systems you are getting your service from are NOT maintained by you
(DNS for example), then your OK (the idea being that the chances of two
different
organizations screwing up at the same time is less probable)

But, if your running your own AD and the machines are connecting to your AD
server, then you need to fill out a SAQ D

When in doubt, please consult with your ISV ... and remember, you can shop
around for one that agrees with you :-)

Joel

--On Tuesday, August 02, 2011 2:27 PM -0500 John Ladwig
<John.Ladwig () CSU MNSCU EDU> wrote:

A strict reading of #2 could imply that A/V update systems, backup servers
and WiSUS/SCM would need to be located entirely within the Cardholder Data
Environment in order to retain SAQ-C status.

Has anyone gotten a recent QSA opinion one way or the other on that issue?

   -jml

"Bazeley, Joseph E." <bazeleje () MUOHIO EDU> 2011-08-02 13:38 >>>

Why is it that I never enjoy the days where I learn something new about
PCI? ;)

From the PCI docs at
https://www.pcisecuritystandards.org/documents/pci_dss_saq_instr_guide_v2.0.pdf,
here are the 6 things you need to confirm to be SAQ C:

"1. Your company has a payment application system and an Internet
connection on the same device and/or same local area network (LAN);
2. The payment application system/Internet device is not connected to any
other systems within your environment (this can be achieved via network
segmentation to isolate payment application system/Internet device from
all other systems); 3. Your company store is not connected to other store
locations,
and any LAN is for a single store only;
4. Your company retains only paper reports or paper copies of receipts;
5. Your company does not store cardholder data in electronic format; and
6. Your company's payment application software vendor uses secure
techniques to provide remote support to your payment application system."

The proxy server Joel mentioned would violate #2, which would push you
into SAQ D.

Joe

-----Original Message-----
From: Joel Rosenblatt [mailto:joel () columbia edu]
Sent: Tuesday, August 02, 2011 2:08 PM
To: The EDUCAUSE Security Constituent Group Listserv
Cc: Bazeley, Joseph E.
Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations

SAQ D does not only mean you are storing credit cards .. it also applies
when you have a "complicated network" - even if none of the machines are
storing
credit cards

A complicated network means that machines are connected together in some
way - for example, if you are using a proxy server for the traffic leaving
your edge

I'm not an ISV, but I've played one on TV :-)

Joel

--On Tuesday, August 02, 2011 2:01 PM -0400 "Bazeley, Joseph E."
<bazeleje () MUOHIO EDU> wrote:

Can you get them to use PCI DSS SAQ C instead?  SAQ D means that they're
storing credit card numbers, which will make their PCI compliance effort
require
more resources and increases the likelihood of a breach leading to
exposed credit card numbers and the associated notification.  If they
don't have an
extremely good reason to store those credit card numbers (and it needs to
provide an associated benefit that outweighs the cost from doing so),
they should
quit storing them.

Regards,
Joe

Joe Bazeley
Information Security Officer
Miami University
Hoyt Hall 314
513-529-9252

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () listserv educause edu] On Behalf Of Self, Dennis
Sent: Tuesday, August 02, 2011 1:56 PM
To: SECURITY () listserv educause edu
Subject: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations

Security Friends,

Have you developed a budget for PCI DSS SAQ D compliance for your
bookstore operation in the recent past?  For my institution, the
bookstore may be the only
operation that cannot be reasonably remediated to qualify for SAQ A or B.
If you are willing to share your budget, please respond offline.  Also
please let
me know if I may identify you and your institution to our administration.
Lastly, if you reverted back in technology to dial terminals as a
solution, please
let me know.

Kind regards,

Dennis Self
Director, IT Security & Compliance
Technology Services
Samford University
(205) 726-2692




Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3




Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3

Current thread:

Budget for PCI DSS SAQ D for Bookstore Operations Self, Dennis (Aug 02)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations Bazeley, Joseph E. (Aug 02)
  - Re: Budget for PCI DSS SAQ D for Bookstore Operations Joel Rosenblatt (Aug 02)
    - Re: Budget for PCI DSS SAQ D for Bookstore Operations Bazeley, Joseph E. (Aug 02)
    - Re: Budget for PCI DSS SAQ D for Bookstore Operations John Ladwig (Aug 02)
    - Re: Budget for PCI DSS SAQ D for Bookstore Operations Eric C. Lukens (Aug 02)
    - Re: Budget for PCI DSS SAQ D for Bookstore Operations Joel Rosenblatt (Aug 02)
    - Re: Budget for PCI DSS SAQ D for Bookstore Operations Nick Lewis (Aug 02)
- <Possible follow-ups>
- Re: Budget for PCI DSS SAQ D for Bookstore Operations John Ladwig (Aug 02)
  - Re: Budget for PCI DSS SAQ D for Bookstore Operations Henninger, Craig (Aug 03)
    - Re: Budget for PCI DSS SAQ D for Bookstore Operations Self, Dennis (Aug 03)
    - Re: Budget for PCI DSS SAQ D for Bookstore Operations Joel Rosenblatt (Aug 03)
    - Re: Budget for PCI DSS SAQ D for Bookstore Operations John Ladwig (Aug 03)
    - Re: Budget for PCI DSS SAQ D for Bookstore Operations Doug Markiewicz - EDUCAUSE (Aug 05)
    - Re: Budget for PCI DSS SAQ D for Bookstore Operations John Ladwig (Aug 03)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations John Ladwig (Aug 05)
  - Re: Budget for PCI DSS SAQ D for Bookstore Operations Brad Judy (Aug 05)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations Carson, Larry (Aug 05)
  - Re: Budget for PCI DSS SAQ D for Bookstore Operations Blake Penn (Aug 09)
    - Re: Budget for PCI DSS SAQ D for Bookstore Operations John Ladwig (Aug 09)

(Thread continues...)