Re: PCI QUESTION

[Hendra Hendrawan <hendra () YORKU CA>]

I think the emphasis here on the network segmentation, not the e-commerce 
system or any other systems. Depending on the QSA you talk to, network 
segmentation can be achieved with access control list (ACL). One of the 
many challenges that stems from network segmentation exercise is dealing 
with systems that provide infrastructure-type of services: DNS, DHCP, NTP, 
etc. Eventually, implementation cost becomes a significant part of the 
solution.  


Many merchants strive to complete SAQ A by leveraging a Hosted Pay Page 
(HPP) solution--if possible. It reduces the scope and eliminates many 
network segmentation requirements.  




Hendra Hendrawan ? Senior Security Analyst 
Information Security
University Information Technology (UIT)

YORK UNIVERSITY 
108 Steacie Building ? 4700 Keele Street 
Toronto ON ? Canada M3J 1P3
T 416.736.2100 ext 22317 F 416.736.5830
hendra () yorku ca ? www.yorku.ca 

URL: infosec.news.yorku.ca
Facebook: /YorkU.Infosec
Twitter: @YorkU_Infosec

The EDUCAUSE Security Constituent Group Listserv 
<SECURITY () LISTSERV EDUCAUSE EDU> wrote on 2016/08/09 02:37:13 PM:

> From: "McClenon, Brady" <Brady.McClenon () ONEONTA EDU>
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Date: 2016/08/09 02:38 PM
> Subject: Re: [SECURITY] PCI QUESTION
> Sent by: The EDUCAUSE Security Constituent Group Listserv 
> <SECURITY () LISTSERV EDUCAUSE EDU>
>
> ?Your e-commerce website is not connected to any other systems 
> within your environment (this can be achieved via network 
> segmentation to isolate the website from all other systems)?
>
> I don?t find this verbiage in the PCI-DSS 3.2 or any of the 
> associated SAQs.  Where do you find it?
>
>
> Brady McClenon
> Information Technology Security Administrator
> Information Technology Services - IT Security
> B237 Milne Library
> SUNY College at Oneonta
> 607-436-3203
>
>
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv [
> mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Conlee, Keith
> Sent: Tuesday, August 09, 2016 11:18 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] PCI QUESTION
>
>
>
> Barton, Robert W." <bartonrt () LEWISU EDU> has asked how people are 
> interpreting the following statement
> ?Your e-commerce website is not connected to any other systems 
> within your environment (this can be achieved via network 
> segmentation to isolate the website from all other systems)?
>
>
> What I have researched this to understand is that your e-commerce 
> website must be physically off the College network so that other 
> infected (non PCI scope) systems on the network cannot infect your 
> PCI system (more importantly cannot infect your POS devices).  Even 
> if you have a 3rd party providing the pages to input CC information,
> if the CC number goes over your network (i.e. the POS devices are 
> connected to your network) it must be on its own physical network. 
> This is an attempt by PCI SSC to limit POS malware infection.  As 
> you know POS malware infection has been the major CC attack vector 
> for the past few years.  A lot of institutions have move the CC 
> processing to a third party in the cloud but still have a cashier 
> function or POS devices connected to their network.  That does not 
> cut it for the statement above.  The only way to not have the 
> statement apply to the College is to move all CC processing to 3rd 
> party and only have P2PE devices on your network.
>
> I hope this helps answer your question.
>
>
> Keith Conlee, JD, MS/BS, PCIP, CISSP, CISA, CBCP
> Chief Security Officer, IT
> College of DuPage
> 425 Fawell Blvd.
> Glen Ellyn, IL 60137-6599
>
> Ph. - 630.942.3055
> conlee () cod edu
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [
> mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SECURITY 
> automatic digest system
> Sent: Thursday, August 04, 2016 11:00 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: SECURITY Digest - 3 Aug 2016 to 4 Aug 2016 (#2016-116)
>
> There are 5 messages totalling 888 lines in this issue.
>
> Topics of the day:
>
>   1. Use of PIN for Self Service Password Reset
>   2. PCI Question (3)
>   3. 7 question survey on privileged access to sensitive data from 
Teachers
>      College
>
> ----------------------------------------------------------------------
>
> Date:    Thu, 4 Aug 2016 10:57:13 -0400
> From:    Frank Barton <bartonf () HUSSON EDU>
> Subject: Re: Use of PIN for Self Service Password Reset
>
> Steve, I would recommend against this - in effect you are proposing 
> to create a 4-character password for folks to access their accounts
>
> Frank
>
> On Wed, Aug 3, 2016 at 5:52 PM, Steve Munson <smunson () marymount edu> 
wrote:
> > Thank you for the responses. The PIN I am referring to is for the user 

> > to confirm identify so that it "can be used ad-nauseam to reset".
> >
> >
> > Steve
> >
> > On 8/3/16 4:33 PM, Thomas Carter wrote:
> >
> > In a past life in the corporate world, we used base 32 (
> > https://en.wikipedia.org/wiki/Base32) for easy OCR reading. The 
> > downside is communicating this to end users (I.E. the digit 1 will 
> > never occur because it?s too similar to the letter ?eye? I.
> >
> >
> >
> > Thomas Carter
> >
> > Network & Operations Manager
> >
> > Austin College
> >
> >
> >
> > *From:* The EDUCAUSE Security Constituent Group Listserv [ 
> > mailto:SECURITY () LISTSERV EDUCAUSE EDU 
> > <SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Frank Barton
> > *Sent:* Wednesday, August 3, 2016 7:29 AM
> > *To:* SECURITY () LISTSERV EDUCAUSE EDU
> > *Subject:* Re: [SECURITY] Use of PIN for Self Service Password Reset
> >
> >
> >
> > One Caveat that I would strongly suggest if you are using an 
> > alphanumeric PIN (and I'm not sure if you mean One-Time-Password, or a 

> > user set PIN that can be used ad-nauseam to reset) is to avoid the use 

> > of confusing characters (Il1oO0) unless you can control the interface 
> > in such a way as to make them very clearly distinct (upper case "I" 
> > having the top and bottom cross-bars, "0" having a center diagonal, 
> > etc)
> >
> >
> >
> > Frank
> >
> >
> >
> > On Wed, Aug 3, 2016 at 7:52 AM, Steve Munson <smunson () marymount edu>
> > wrote:
> >
> > We are moving to a use of 4 character PIN for self service password 
> > reset and am interested to see what standards others have 
> established for PINs.
> > For example, we are considering setting the PIN requirement to be at 
> > least
> > 2 characters and 2 numbers. We are planning to use alphanumeric PIN 
> > instead of numeric to provide opportunity for more PIN complexity 
> > versus numeric only but interested in feedback/perspective from this 
group.
> > Regards,
> >
> > Steve Munson
> >
> >
> > Executive Director, IT Services
> >
> > Marymount University
> >
> > Arlington, Virginia
> >
> >
> >
> >
> >
> > --
> >
> > Frank Barton
> >
> > ACMT
> >
> > IT Systems Administrator
> >
> > Husson University
>
>
> --
> Frank Barton
> ACMT
> IT Systems Administrator
> Husson University
>
> ------------------------------
>
> Date:    Thu, 4 Aug 2016 20:44:36 +0000
> From:    "Barton, Robert W." <bartonrt () LEWISU EDU>
> Subject: PCI Question
>
> Afternoon,
>
> We are working though our PCI DSS compliance, and I was wondering 
> how people understood, and then implemented a solution for this 
statement.
> ?Your e-commerce website is not connected to any other systems 
> within your environment (this can be achieved via network 
> segmentation to isolate the website from all other systems)?
>
> The wording has led to a few questions, and I want to see what 
> others are thinking/doing.  If you do not want to reply to the list,
> feel free to send me a private email.
>
> Robert W. Barton
> Director of Information Security
> Lewis University
> One University Parkway
> Romeoville, IL  60446-2200
> 815-836-5663
>
> This message (including any attachments) is intended only for the 
> use of the individual or entity to which it is addressed and may 
> contain information that is non-public, proprietary, privileged, 
> confidential, and exempt from disclosure under applicable law or may
> constitute as attorney work product.
> If you are not the intended recipient, you are hereby notified that 
> any use, dissemination, distribution, or copying of this 
> communication is strictly prohibited. If you have received this 
> communication in error, notify us immediately by telephone at 
> (815)-836-5950 and
> (i) destroy this message if a facsimile or (ii) delete this message 
> immediately if this is an electronic communication.
>
> Thank you.
>
> ------------------------------
>
> Date:    Thu, 4 Aug 2016 20:49:55 +0000
> From:    Charles Curtis <ccurtis () AUSTINCOLLEGE EDU>
> Subject: Re: PCI Question
>
> For us this means that a transaction on our website immediately 
> sends encrypted information to our 3rd party payment processor and 
> there is never a College system involved nor unencrypted data 
> anywhere on College computers/servers.
>
>
> Charles Curtis
> Executive Director of Information Technology Austin College
> 900 North Grand Avenue
> Sherman, TX 75090-4400
> Phone: 903.813.2088
> www.austincollege.edu<http://www.austincollege.edu/>
> [http://www.austincollege.edu/images/AusColl_Logo_Email.gif]
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv [
> mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barton, Robert W.
> Sent: Thursday, August 4, 2016 3:45 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] PCI Question
>
> Afternoon,
>
> We are working though our PCI DSS compliance, and I was wondering 
> how people understood, and then implemented a solution for this 
statement.
> ?Your e-commerce website is not connected to any other systems 
> within your environment (this can be achieved via network 
> segmentation to isolate the website from all other systems)?
>
> The wording has led to a few questions, and I want to see what 
> others are thinking/doing.  If you do not want to reply to the list,
> feel free to send me a private email.
>
> Robert W. Barton
> Director of Information Security
> Lewis University
> One University Parkway
> Romeoville, IL  60446-2200
> 815-836-5663
>
> This message (including any attachments) is intended only for the 
> use of the individual or entity to which it is addressed and may 
> contain information that is non-public, proprietary, privileged, 
> confidential, and exempt from disclosure under applicable law or may
> constitute as attorney work product. If you are not the intended 
> recipient, you are hereby notified that any use, dissemination, 
> distribution, or copying of this communication is strictly 
> prohibited. If you have received this communication in error, notify
> us immediately by telephone at (815)-836-5950 and (i) destroy this 
> message if a facsimile or (ii) delete this message immediately if 
> this is an electronic communication. Thank you.
>
> ------------------------------
>
> Date:    Thu, 4 Aug 2016 15:59:57 -0500
> From:    Ted Wilder <twilder () MACALESTER EDU>
> Subject: Re: PCI Question
>
> In the past, I've used direct-post (or other options available by 
> credit card processor services) to move e-commerce sites out of PCI-
> DSS scope. The options available are dependent on your credit card 
processor.
> Ted Wilder
> Associate Director
> Information Technology Services
> Macalester College
>
>
> On Thu, Aug 4, 2016 at 3:44 PM, Barton, Robert W. <bartonrt () lewisu edu>
> wrote:
>
> > Afternoon,
> >
> >
> >
> > We are working though our PCI DSS compliance, and I was wondering how 
> > people understood, and then implemented a solution for this statement.
> >
> >
> >
> > ?Your e-commerce website is not connected to any other systems within 
> > your environment (this can be achieved via network segmentation to 
> > isolate the website from all other systems)?
> >
> >
> >
> > The wording has led to a few questions, and I want to see what others 
> > are thinking/doing.  If you do not want to reply to the list, feel 
> > free to send me a private email.
> >
> >
> >
> > Robert W. Barton
> >
> > Director of Information Security
> >
> > Lewis University
> >
> > One University Parkway
> >
> > Romeoville, IL  60446-2200
> >
> > 815-836-5663
> >
> > This message (including any attachments) is intended only for the use 
> > of the individual or entity to which it is addressed and may contain 
> > information that is non-public, proprietary, privileged, confidential, 

> > and exempt from disclosure under applicable law or may constitute as 
> > attorney work product. If you are not the intended recipient, you are 
> > hereby notified that any use, dissemination, distribution, or copying 
> > of this communication is strictly prohibited. If you have received 
> > this communication in error, notify us immediately by telephone at
> > (815)-836-5950 and (i) destroy this message if a facsimile or (ii) 
> > delete this message immediately if this is an electronic 
> communication. Thank you.
> >
>
> ------------------------------
>
> Date:    Thu, 4 Aug 2016 22:29:13 -0400
> From:    Lawrence Furnival <lrf10 () TC COLUMBIA EDU>
> Subject: 7 question survey on privileged access to sensitive data 
> from Teachers College
>
> Teachers College CISO asks if anyone would like to take a short 
> informal survey (2 minutes max) to collect ideas on what 
> universities or colleges are doing about privileged access, legal 
> holds etc. We will post the results here. 
>
> https://tccolumbia.qualtrics.com/jfe/form/SV_b1xxGEKHDDqSgZv <
> https://tccolumbia.qualtrics.com/jfe/form/SV_b1xxGEKHDDqSgZv>
>
> Lawrence Furnival
> Enterprise/Security Architect
> Teachers College, Columbia University
>
> "Доверяй, но проверяй.? ? Ronald Reagan
>
> ------------------------------
>
> End of SECURITY Digest - 3 Aug 2016 to 4 Aug 2016 (#2016-116)
> *************************************************************