Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution?

["Giesige, Rich" <Rich.Giesige () OREGONSTATE EDU>]

Quick Question (I’m not an expert at all): If a person is entering a credit card (received via phone/mail in a web 
terminal) on the behalf of another person then how does that not fall into SAQ C-VT (even if it is secured and 
encrypted)? 

Also I would agree with everything else that has been said, if you are taking multiple credit cards in one terminal you 
have to make sure it is locked down and secured to the point where verification of physical security is done on a 
regular basis. 

Thanks,

-- 
Richard Giesige 
IT Security Analyst
Office of Information Security
Oregon State University



"OSU staff will NEVER ask for you password.
Never email or share your password with anyone."






On 2/22/16, 8:49 AM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Sprague, Randy" <SECURITY () 
LISTSERV EDUCAUSE EDU on behalf of randy.sprague () CINCINNATISTATE EDU> wrote:

> Hello Kevin,
> We still keep our E2EE devices within our CDN for consistency and risk foot print. My understanding is it removes 
> parts of the compliance (encryption, SSL/TTL) but does not remove from other sections. 
>
> Randy Sprague
> Enterprise and Infrastructure Manager
> Cincinnati State Technical and Community College
> Office: 513-569-1892
>
> This transmission is intended only for use by the intended recipient(s). If you are not an intended recipient you must 
> not read, disclose, copy, circulate or in any other way use the information contained in this transmission. The 
> information contained in this transmission may be confidential and/or privileged. If you have received this 
> transmission in error, please notify the sender immediately and delete this transmission including any attachments.
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
> Sheryn
> Sent: Monday, February 22, 2016 11:16 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution?
>
> Thanks, Kevin.
>
> My understanding was that if your E2EE solution was 'in hardware', such that you, the merchant, had no access to the 
> encryption/decryption keys, then that could take your infrastructure out-of-scope.  But if it's a software solution, 
> such that you, the merchant, did (potentially) have access to the encryption/decryption keys (e.g. in a web-app 
> running on a local PC), then it didn't.
>
> But maybe I've misunderstood that.
>
> Regards
>
> -- 
> David Sheryn | Information Security Specialist | Information Technology.
> London Business School | Regent's Park | London NW1 4SA | United Kingdom.
> Switchboard +44 (0)20 7000 7000 | Direct line +44 (0)20 7000 7776
>
> www.london.edu | London experience. World impact.
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin 
> Reedy
> Sent: 22 February 2016 15:46
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution?
>
> One point of clarification:
>
> "If employees are able to enter CHD (CC#) on a customer's behalf, then all of the infrastructure touched by the CHD, 
> and everything connected directly to it, is in scope for PCI compliance.  Card Holder Data is very toxic, from a PCI 
> compliance perspective... :-/"
>
> This really depends on how the transmission and web page are set up.  I don't know how others are doing it, but we 
> have encryption happen at both the transport layer (SSL), and at the application layer, inside the HTML5, after each 
> keystroke.  The decryption happens on the service providers CDN
> (E2EE)  therefore taking the actual source machine out of scope (out of scope of SAQ-D and into SAQ-A anyway).  We 
> still don't process or transmit CHD on it, that is all handled on the service providers CDN.  I guess we'd need to 
> know a whole lot more about the back end architecture to really understand the data flow and offer a customized 
> solution.
>
> Obviously if you are talking about a self service portal with a card swipe option everything I have said goes out the 
> window.
>
>
> -Kevin
>
>
>
> From:  David Sheryn <dsheryn () LONDON EDU>
> To:    SECURITY () LISTSERV EDUCAUSE EDU,
> Date:  02/22/2016 10:23 AM
> Subject:       Re: [SECURITY] Anyone have a PCI/DSS 3.1 Compliant Unattended
>            Payment Terminal Solution?
> Sent by:       The EDUCAUSE Security Constituent Group Listserv
>            <SECURITY () LISTSERV EDUCAUSE EDU>
>
>
>
> Hi,
>
> Like Kevin, I'm not a qualified ISA, but my understanding of the situation is as follows:
>
> "If the payment page is securely hosted, and the CDN is properly protected, then a kiosk machine on your network is no 
> different from a student user a computer at home to make the same payment."
>
> The difference is that if the payment is solicited by your organisation AND you run the equipment on which you solicit 
> the payment (or at least if your organisation 'advertises' or 'notifies' that you are providing equipment for the 
> purpose of making a payment) then it is *that* which puts the kiosk into scope for your PCI compliance. The other key 
> difference is that the student's own PC is likely to only have their own CHD going through it, whereas your kiosk is 
> likely to have multiple people's CHD going through it, making it a more fruitful place to attack.
>
> "This kiosk would have to be pretty tightly controlled to ensure no physical or software key loggers are installed, 
> and routinely malware/virus scanned. I'd lock it down with GPO or a specialized software to ensure integrity."
>
> Absolutely.  Or rebuild it every night with a known clean image?
>
> "I assume there are other machines on your network where employees are able to enter CC#, isn't this the same basic 
> concept?"
>
> If employees are able to enter CHD (CC#) on a customer's behalf, then all of the infrastructure touched by the CHD, 
> and everything connected directly to it, is in scope for PCI compliance.  Card Holder Data is very toxic, from a PCI 
> compliance perspective... :-/
>
> Regards
>
> --
> David Sheryn | Information Security Specialist | Information Technology.
> London Business School | Regent's Park | London NW1 4SA | United Kingdom.
> Switchboard +44 (0)20 7000 7000 | Direct line +44 (0)20 7000 7776
>
> www.london.edu | London experience. World impact.
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin 
> Reedy
> Sent: 22 February 2016 14:50
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution?
>
> Mandi,
>
> While admittedly no a PCI expert, I think I know it pretty well.  I'm a bit confused as to what it is you are looking 
> for.  If the payment page is securely hosted, and the CDN is properly protected, then a kiosk machine on your network 
> is no different from a student user a computer at home to make the same payment.
>
> This kiosk would have to be pretty tightly controlled to ensure no physical or software key loggers are installed, and 
> routinely malware/virus scanned.
> I'd lock it down with GPO or a specialized software to ensure integrity.
>
> I assume there are other machines on your network where employees are able to enter CC#, isn't this the same basic 
> concept?
>
> I guess I'm missing the part of PCI you are looking to satisfy aside from those listed above?
>
> -Kevin
>
>
>
> From:           Mandi Witkovsky <witkovsm () IPFW EDU>
> To:             SECURITY () LISTSERV EDUCAUSE EDU,
> Date:           02/18/2016 11:52 AM
> Subject:                [SECURITY] Anyone have a PCI/DSS 3.1 Compliant
> Unattended
>            Payment Terminal Solution?
> Sent by:                The EDUCAUSE Security Constituent Group Listserv
>            <SECURITY () LISTSERV EDUCAUSE EDU>
>
>
>
> We have a strong desire by administration to provide a payment terminal/kiosk for students to may payments.  We have 
> always had issues providing a compliant kiosk, and in fact have stripped them out of our environment because we don’t 
> have the manpower to maintain it.
>
> Is anyone using (or know of) hardware/service to outsource this functionality?
>
> Thanks,
> mandi
>
> This message and any attachments contain confidential Excelsior College information intended for the specific 
> individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. 
> Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.
>
> This message and any attachments contain confidential Excelsior College information intended for the specific 
> individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. 
> Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.