Educause Security Discussion mailing list archives
Re: PCI Wireless Question for other colleges/universities
From: Brad Judy <brad.judy () CU EDU>
Date: Mon, 25 Jan 2016 19:33:29 +0000
The scope of PCI-DSS is to your cardholder environment. This commonly means there is a separate network dedicated to payment processing systems (otherwise all sorts of messy stuff falls in scope). For any rogue access points detected on your PCI network, the expectation is that you would immediately remove them (turn off port, physically remove them, etc.). PCI doesn't care what you do about rogue access points on out of scope networks. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu<http://www.cu.edu/> [cu-logo_fl] From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Paul Chauvet Sent: Monday, January 25, 2016 12:22 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI Wireless Question for other colleges/universities Hi Marty, Sorry for the lack of clarification! It isn't as much the "establish a process to scan for rogue wireless access points", because we have a process to detect such via our wireless system (Aruba). Our issue is more with 11.1.2b: "Is action taken when unauthorized wireless access points are found". I'm not sure what actions are viable in an environment like a college (at least with our staffing requirements), especially with ad-hoc networks and cell phones acting as access points. Is "We've made sure it isn't near a dedicated payment area if the access point wasn't transient" suitable as an action for this? I'm open to ideas. Thanks all, Paul Chauvet Information Security Officer State University of New York at New Paltz chauvetp () newpaltz edu<mailto:chauvetp () newpaltz edu> 845-257-3828 [emlogo] From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Manjak, Martin Sent: Monday, January 25, 2016 1:58 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] PCI Wireless Question for other colleges/universities Paul, Assuming we're talking about "Establish a process to scan for rogue wireless access points on at least a quarterly basis," we were advised by our QSA that a visual inspection on CDE segments only was sufficient to satisfy this requirement. Marty Manjak ISO University at Albany From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Paul Chauvet Sent: Monday, January 25, 2016 1:05 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] PCI Wireless Question for other colleges/universities Hello all, I'm wondering how other colleges/universities handled a specific PCI requirement, 11.1.2, regarding unauthorized wireless access points. We have a few areas with payments going over wireless, but even if we changed things to not use wireless for payments, it appears that this requirement is applicable. We have taken appropriate steps to secure the terminals/computers, and had a skilled penetration testing company that was completely unable to break through to the payment terminals (or even through the network segmentation). We also have scanning in place that can detect rogue access points. I believe that the systems are secure but security isn't compliance. In this day and age where anyone can turn their phone into an access point, there are always a number of them, most of them being transient. What have other colleges done when faced with these situations? We're not a huge school that can afford the staff that it would take to go hunt the transient access points down. I'd appreciate anything you can share on- or off-list about this scenario. Thanks, Paul Chauvet Information Security Officer State University of New York at New Paltz chauvetp () newpaltz edu<mailto:chauvetp () newpaltz edu> 845-257-3828 [emlogo]
Current thread:
- PCI Wireless Question for other colleges/universities Paul Chauvet (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Manjak, Martin (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Paul Chauvet (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Brad Judy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Rumford, Charles C (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Paul Chauvet (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Paul Chauvet (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Manjak, Martin (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Carroll, Tim (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Kevin Reedy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Brad Judy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Kevin Reedy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Brad Judy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Kevin Reedy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Carroll, Tim (Jan 26)
- Re: PCI Wireless Question for other colleges/universities Eric Lukens (Jan 26)
- Re: PCI Wireless Question for other colleges/universities Dexter Caldwell (Jan 26)