Re: PCI QUESTION

[Kevin Reedy <KReedy () EXCELSIOR EDU>]

The reference here is to the 'cardholder data environment' or CDE.  If you 
are able to remove a system from the CDE it is no longer in scope for 
PCI-DSS. 

Here is a decent primer on what you can do to limit the scope of the CDE.

http://www.ecommercetimes.com/story/80149.html

-Kevin

Kevin Reedy
Executive Director, Information Security
Excelsior College
(518) 464-8720





From:   "McClenon, Brady" <Brady.McClenon () ONEONTA EDU>
To:     SECURITY () LISTSERV EDUCAUSE EDU, 
Date:   08/09/2016 02:38 PM
Subject:        Re: [SECURITY] PCI QUESTION
Sent by:        The EDUCAUSE Security Constituent Group Listserv 
<SECURITY () LISTSERV EDUCAUSE EDU>



?Your e-commerce website is not connected to any other systems within your 
environment (this can be achieved via network segmentation to isolate the 
website from all other systems)?
 
I don?t find this verbiage in the PCI-DSS 3.2 or any of the associated 
SAQs.  Where do you find it?
 
 
Brady McClenon
Information Technology Security Administrator
Information Technology Services - IT Security
B237 Milne Library
SUNY College at Oneonta
607-436-3203
 
 
 
 
 
From: The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Conlee, Keith
Sent: Tuesday, August 09, 2016 11:18 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI QUESTION
 
 
 
Barton, Robert W." <bartonrt () LEWISU EDU> has asked how people are 
interpreting the following statement
?Your e-commerce website is not connected to any other systems within your 
environment (this can be achieved via network segmentation to isolate the 
website from all other systems)?
 
 
What I have researched this to understand is that your e-commerce website 
must be physically off the College network so that other infected (non PCI 
scope) systems on the network cannot infect your PCI system (more 
importantly cannot infect your POS devices).  Even if you have a 3rd party 
providing the pages to input CC information, if the CC number goes over 
your network (i.e. the POS devices are connected to your network) it must 
be on its own physical network.  This is an attempt by PCI SSC to limit 
POS malware infection.  As you know POS malware infection has been the 
major CC attack vector for the past few years.  A lot of institutions have 
move the CC processing to a third party in the cloud but still have a 
cashier function or POS devices connected to their network.  That does not 
cut it for the statement above.  The only way to not have the statement 
apply to the College is to move all CC processing to 3rd party and only 
have P2PE devices on your network.
 
I hope this helps answer your question.
 
 
Keith Conlee, JD, MS/BS, PCIP, CISSP, CISA, CBCP
Chief Security Officer, IT
College of DuPage
425 Fawell Blvd.
Glen Ellyn, IL 60137-6599
 
Ph. - 630.942.3055
conlee () cod edu
 
 
-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SECURITY automatic 
digest system
Sent: Thursday, August 04, 2016 11:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: SECURITY Digest - 3 Aug 2016 to 4 Aug 2016 (#2016-116)
 
There are 5 messages totalling 888 lines in this issue.
 
Topics of the day:
 
  1. Use of PIN for Self Service Password Reset
  2. PCI Question (3)
  3. 7 question survey on privileged access to sensitive data from 
Teachers
     College
 
----------------------------------------------------------------------
 
Date:    Thu, 4 Aug 2016 10:57:13 -0400
From:    Frank Barton <bartonf () HUSSON EDU>
Subject: Re: Use of PIN for Self Service Password Reset
 
Steve, I would recommend against this - in effect you are proposing to 
create a 4-character password for folks to access their accounts
 
Frank
 
On Wed, Aug 3, 2016 at 5:52 PM, Steve Munson <smunson () marymount edu> 
wrote:
 
> Thank you for the responses. The PIN I am referring to is for the user 
> to confirm identify so that it "can be used ad-nauseam to reset".
>
>
> Steve
>
> On 8/3/16 4:33 PM, Thomas Carter wrote:
>
> In a past life in the corporate world, we used base 32 (
> https://en.wikipedia.org/wiki/Base32) for easy OCR reading. The 
> downside is communicating this to end users (I.E. the digit 1 will 
> never occur because it?s too similar to the letter ?eye? I.
>
>
>
> Thomas Carter
>
> Network & Operations Manager
>
> Austin College
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [ 
> mailto:SECURITY () LISTSERV EDUCAUSE EDU 
> <SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Frank Barton
> *Sent:* Wednesday, August 3, 2016 7:29 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Use of PIN for Self Service Password Reset
>
>
>
> One Caveat that I would strongly suggest if you are using an 
> alphanumeric PIN (and I'm not sure if you mean One-Time-Password, or a 
> user set PIN that can be used ad-nauseam to reset) is to avoid the use 
> of confusing characters (Il1oO0) unless you can control the interface 
> in such a way as to make them very clearly distinct (upper case "I" 
> having the top and bottom cross-bars, "0" having a center diagonal, 
> etc)
>
>
>
> Frank
>
>
>
> On Wed, Aug 3, 2016 at 7:52 AM, Steve Munson <smunson () marymount edu>
> wrote:
>
> We are moving to a use of 4 character PIN for self service password 
> reset and am interested to see what standards others have established 
for PINs.
> For example, we are considering setting the PIN requirement to be at 
> least
> 2 characters and 2 numbers. We are planning to use alphanumeric PIN 
> instead of numeric to provide opportunity for more PIN complexity 
> versus numeric only but interested in feedback/perspective from this 
group.
> Regards,
>
> Steve Munson
>
>
> Executive Director, IT Services
>
> Marymount University
>
> Arlington, Virginia
>
>
>
>
>
> --
>
> Frank Barton
>
> ACMT
>
> IT Systems Administrator
>
> Husson University
 
 
--
Frank Barton
ACMT
IT Systems Administrator
Husson University
 
------------------------------
 
Date:    Thu, 4 Aug 2016 20:44:36 +0000
From:    "Barton, Robert W." <bartonrt () LEWISU EDU>
Subject: PCI Question
 
Afternoon,
 
We are working though our PCI DSS compliance, and I was wondering how 
people understood, and then implemented a solution for this statement.
 
?Your e-commerce website is not connected to any other systems within your 
environment (this can be achieved via network segmentation to isolate the 
website from all other systems)?
 
The wording has led to a few questions, and I want to see what others are 
thinking/doing.  If you do not want to reply to the list, feel free to 
send me a private email.
 
Robert W. Barton
Director of Information Security
Lewis University
One University Parkway
Romeoville, IL  60446-2200
815-836-5663
 
This message (including any attachments) is intended only for the use of 
the individual or entity to which it is addressed and may contain 
information that is non-public, proprietary, privileged, confidential, and 
exempt from disclosure under applicable law or may constitute as attorney 
work product.
If you are not the intended recipient, you are hereby notified that any 
use, dissemination, distribution, or copying of this communication is 
strictly prohibited. If you have received this communication in error, 
notify us immediately by telephone at (815)-836-5950 and
(i) destroy this message if a facsimile or (ii) delete this message 
immediately if this is an electronic communication.
 
Thank you.
 
------------------------------
 
Date:    Thu, 4 Aug 2016 20:49:55 +0000
From:    Charles Curtis <ccurtis () AUSTINCOLLEGE EDU>
Subject: Re: PCI Question
 
For us this means that a transaction on our website immediately sends 
encrypted information to our 3rd party payment processor and there is 
never a College system involved nor unencrypted data anywhere on College 
computers/servers.
 
 
Charles Curtis
Executive Director of Information Technology Austin College
900 North Grand Avenue
Sherman, TX 75090-4400
Phone: 903.813.2088
www.austincollege.edu<http://www.austincollege.edu/>
[http://www.austincollege.edu/images/AusColl_Logo_Email.gif]
 
 
 
From: The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barton, Robert W.
Sent: Thursday, August 4, 2016 3:45 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI Question
 
Afternoon,
 
We are working though our PCI DSS compliance, and I was wondering how 
people understood, and then implemented a solution for this statement.
 
?Your e-commerce website is not connected to any other systems within your 
environment (this can be achieved via network segmentation to isolate the 
website from all other systems)?
 
The wording has led to a few questions, and I want to see what others are 
thinking/doing.  If you do not want to reply to the list, feel free to 
send me a private email.
 
Robert W. Barton
Director of Information Security
Lewis University
One University Parkway
Romeoville, IL  60446-2200
815-836-5663
 
This message (including any attachments) is intended only for the use of 
the individual or entity to which it is addressed and may contain 
information that is non-public, proprietary, privileged, confidential, and 
exempt from disclosure under applicable law or may constitute as attorney 
work product. If you are not the intended recipient, you are hereby 
notified that any use, dissemination, distribution, or copying of this 
communication is strictly prohibited. If you have received this 
communication in error, notify us immediately by telephone at 
(815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete 
this message immediately if this is an electronic communication. Thank 
you.
 
------------------------------
 
Date:    Thu, 4 Aug 2016 15:59:57 -0500
From:    Ted Wilder <twilder () MACALESTER EDU>
Subject: Re: PCI Question
 
In the past, I've used direct-post (or other options available by credit 
card processor services) to move e-commerce sites out of PCI-DSS scope. 
The options available are dependent on your credit card processor.
 
 
Ted Wilder
Associate Director
Information Technology Services
Macalester College
 
 
On Thu, Aug 4, 2016 at 3:44 PM, Barton, Robert W. <bartonrt () lewisu edu>
wrote:
 
> Afternoon,
>
>
>
> We are working though our PCI DSS compliance, and I was wondering how 
> people understood, and then implemented a solution for this statement.
>
>
>
> ?Your e-commerce website is not connected to any other systems within 
> your environment (this can be achieved via network segmentation to 
> isolate the website from all other systems)?
>
>
>
> The wording has led to a few questions, and I want to see what others 
> are thinking/doing.  If you do not want to reply to the list, feel 
> free to send me a private email.
>
>
>
> Robert W. Barton
>
> Director of Information Security
>
> Lewis University
>
> One University Parkway
>
> Romeoville, IL  60446-2200
>
> 815-836-5663
>
> This message (including any attachments) is intended only for the use 
> of the individual or entity to which it is addressed and may contain 
> information that is non-public, proprietary, privileged, confidential, 
> and exempt from disclosure under applicable law or may constitute as 
> attorney work product. If you are not the intended recipient, you are 
> hereby notified that any use, dissemination, distribution, or copying 
> of this communication is strictly prohibited. If you have received 
> this communication in error, notify us immediately by telephone at
> (815)-836-5950 and (i) destroy this message if a facsimile or (ii) 
> delete this message immediately if this is an electronic communication. 
Thank you.
>
 
------------------------------
 
Date:    Thu, 4 Aug 2016 22:29:13 -0400
From:    Lawrence Furnival <lrf10 () TC COLUMBIA EDU>
Subject: 7 question survey on privileged access to sensitive data from 
Teachers College
 
Teachers College CISO asks if anyone would like to take a short informal 
survey (2 minutes max) to collect ideas on what universities or colleges 
are doing about privileged access, legal holds etc. We will post the 
results here. 
 
https://tccolumbia.qualtrics.com/jfe/form/SV_b1xxGEKHDDqSgZv <
https://tccolumbia.qualtrics.com/jfe/form/SV_b1xxGEKHDDqSgZv>
 
Lawrence Furnival
Enterprise/Security Architect
Teachers College, Columbia University
 
"Доверяй, но проверяй.? ? Ronald Reagan
 
------------------------------
 
End of SECURITY Digest - 3 Aug 2016 to 4 Aug 2016 (#2016-116)
*************************************************************
 


This message and any attachments contain confidential Excelsior College information intended for the specific 
individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. 
Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.