Educause Security Discussion mailing list archives

Re: PCI SSC - Special Interest Groups

From: John Ladwig <John.Ladwig () SO MNSCU EDU>
Date: Thu, 19 Jul 2012 21:17:14 +0000

Well, that'll be nice for a very limited set of my merchants.  *very* limited.

Once you can actually buy the gear and services, that is.

   -jml

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
Pirolo
Sent: Thursday, July 19, 2012 3:34 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI SSC - Special Interest Groups

Lowe and behold, a new SAQ for P2PE devices...
https://www.pcisecuritystandards.org/documents/PCI_SAQ_P2PE-HW_v2.pdf 

This may answer a few of my questions.

On Thu, 2012-07-19 at 09:36 -0700, David Pirolo wrote:

Unfortunately I don't have a subscription for full access to this 
article.

Essentially this is saying to work with your acquirer or payment brand 
to make the determination on how it best fits.  The confusion is that 
our accquirer has stated that we need to follow SAQ-cvt.  The issue 
with this is Requirement 4, which states open public network.  What 
about the requirements for the college private networks that this may 
be connecting through?  Based on this doc I believe that it's a mute 
issue for the merchant and responsibility falls to the solution 
provider if the device is P2PE.  The merchant would just be 
responsible for securing the device.
https://www.pcisecuritystandards.org/documents/P2PE_%20v%201-1.pdf

The other issue is requirement 5-AV software.  The P2PE doc doesn't 
appear to address that.

-David



On Thu, 2012-07-19 at 10:59 +0000, Davis, Thomas R wrote:

Hi David,

This from Walt Conway regarding mobile devices:

"Both MasterCard and Visa have issued their guidelines which I've written about at StorefrontBacktalk: 
http://storefrontbacktalk.com/securityfraud/mobile-pos-moves-forward-with-mastercards-blessing/  and 
http://storefrontbacktalk.com/securityfraud/visa-joins-mastercard-in-relegating-pci-to-an-afterthought/.";

Current thread:

PCI SSC - Special Interest Groups Davis, Thomas R (Jul 18)
- Re: PCI SSC - Special Interest Groups David R. Millar (Jul 18)
- Re: PCI SSC - Special Interest Groups David Pirolo (Jul 18)
  - Re: PCI SSC - Special Interest Groups David Pirolo (Jul 18)
  - Re: PCI SSC - Special Interest Groups Davis, Thomas R (Jul 19)
    - Re: PCI SSC - Special Interest Groups David Pirolo (Jul 19)
    - Re: PCI SSC - Special Interest Groups David Pirolo (Jul 19)
    - Re: PCI SSC - Special Interest Groups John Ladwig (Jul 19)
    - Re: PCI SSC - Special Interest Groups Davis, Thomas R (Jul 20)