Educause Security Discussion mailing list archives

Re: Budget for PCI DSS SAQ D for Bookstore Operations

From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Mon, 8 Aug 2011 14:50:30 -0500

A good point.  Perhaps an example would be helpful.

We've had a number of campus bookstore merchants move from val-type-5 (SAQ-D) to val-type-3 (SAQ-B) by changing 
operational practice from swiping cards through a bookstore POS which would otherwise store PANs after authorization, 
and instead install and use dialout POTS terminals (on Centrex lines, not internal PBX lines), changing the bookstore's 
PCI compliance obligations.

It seems like (and several QSAs have opined that) tokenization-enabled POS systems should qualify for val-type 4, 
SAQ-C, notably less onerous than SAQ-D, as they do not store PANs after authorization.  

Larry Carlson's recommendations about sanitization of PANs in your cardholder data environment (CDE) would be good 
practice post-conversion, but not sufficient unless the behavior or use of the POS system was *also* changed.

   -jml

Blake Penn <BPenn () TRUSTWAVE COM> 2011-08-08 13:06 >>>

It is important to keep in mind that the different SAQs correspond to different levels of VALIDATION (as opposed to 
compliance).  Your advice sounds reasonable, but some in this audience might mis-interpret "de-scoping" as applying to 
compliance rather than validation.  De-scoping compliance requirements and de-scoping validation requirements are two 
completely different things.


Blake Penn
CISSP, MCSE, MCSD, MCDBA, QSA
Principal Consultant
Trustwave
bpenn () trustwave com 
+1 (678) 685-1277
http://www.trustwave.com 

DISCLAIMER: The views represented in this message reflect the personal opinions of the author alone and do not 
neccessarily reflect the opinions of Trustwave.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Carson, 
Larry
Sent: Friday, August 05, 2011 10:52 AM
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations

I would recommend descoping to SAQ C, if at all possible. This may mean updating data stores in a DB, sanitising 
(possibly even destroying) backups and logs, Santising email stores, etc. Just keep a record of all items sanitised, as 
it is a good record of your descoping exercise.

WRT tracking compliance: spreadsheets, lots of them but we're considering a GRC solution to keep our sanity.


Larry

---
Larry Carson
Associate Director, Information Security Management
Information Technology | Engage. Envision. Enable.
The University of British Columbia
Tel: 604.822.0773 | Twitter: @L4rryC4rson


----- Original Message -----
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Fri Aug 05 05:18:21 2011
Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations

A 340 row Lovecraftian spreadsheet which causes those who stare into its depths to gibber in unholy madness.  We call 
it The  Beast.

The 40+ columns track a lot of things, none of which are on any SAQ; vendors, manufacturers, contracts language status, 
versions, validation types, concessionnaires, CDE segmentation status, SAQ completion dates...  About row 200 I 
realized this was a database problem, but our development staff is limited.

    -jml


-----Original Message-----
From: Doug Markiewicz - EDUCAUSE
Sent: 2011-08-05 06:48:02
To: Doug Markiewicz - EDUCAUSE;The EDUCAUSE Security Constituent Group Listserv
Cc:
Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations

We are working with Trustwave to provide an online portal to track all information, scans, provide and
track training, do external scans, fill out SAQs, etc.


I'm curious how others are organizing all their PCI compliance data, tracking training, etc. Manually?  Through a 
software package or service provider?

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under 
applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, 
distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If 
you received this transmission in error, please immediately contact the sender and destroy the material in its 
entirety, whether in electronic or hard copy format.

Current thread:

Re: Budget for PCI DSS SAQ D for Bookstore Operations, (continued)
- - Re: Budget for PCI DSS SAQ D for Bookstore Operations Henninger, Craig (Aug 03)
    - Re: Budget for PCI DSS SAQ D for Bookstore Operations Self, Dennis (Aug 03)
    - Re: Budget for PCI DSS SAQ D for Bookstore Operations Joel Rosenblatt (Aug 03)
    - Re: Budget for PCI DSS SAQ D for Bookstore Operations John Ladwig (Aug 03)
    - Re: Budget for PCI DSS SAQ D for Bookstore Operations Doug Markiewicz - EDUCAUSE (Aug 05)
    - Re: Budget for PCI DSS SAQ D for Bookstore Operations John Ladwig (Aug 03)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations John Ladwig (Aug 05)
  - Re: Budget for PCI DSS SAQ D for Bookstore Operations Brad Judy (Aug 05)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations Carson, Larry (Aug 05)
  - Re: Budget for PCI DSS SAQ D for Bookstore Operations Blake Penn (Aug 09)
    - Re: Budget for PCI DSS SAQ D for Bookstore Operations John Ladwig (Aug 09)
    - Re: Budget for PCI DSS SAQ D for Bookstore Operations Carson, Larry (Aug 09)