Educause Security Discussion mailing list archives

Re: mobile POS system

From: Scott Weyandt <scott.weyandt () MORANTECHNOLOGY COM>
Date: Tue, 5 Aug 2008 12:54:02 -0700

Mark,

Our experience is that a very limited number of our clients (educational
institutions and businesses alike) utilize wireless with their payment
applications.  Regarding a Point of Sale (PoS application), this may fall
under the scope of PABP soon to be PA-DSS.  These 2 standards apply to
software vendors and others who develop payment applications that store,
process or transmit cardholder data as part of authorization or settlement,
where these payment applications are sold or distributed to third parties.
However, PABP and PA-DSS do not apply to payment software developed in-house
(not sold to a third party), in this case it would be covered as part of the
merchant's service provider's normal PCI DSS compliance.  

Regarding wireless applications and payment applications using wireless
technology the wireless technology must be securely implemented.  For
wireless networks transmitting cardholder data, encrypt the transmission by
using WiFi protected accesses (WPA or WPA2) technology, IPSEC, VPN or
SSL/TLS.  Never rely on exclusively wired equivalent privacy (WEP) to
protect confidentiality and access to a wireless LAN.  .  If WEP is used
reference PCI DSS Requirement 4.1.1 for details of using WEP.

Experientially, most of the limited customers who uses wireless technology
for payment applications use a Unix platform and have an excellent key
management processes in place.

Hope this helps.

Scott


*****************************************************************
Scott Weyandt, PhD
Director, Security and Infrastructure Planning
Moran Technology Consulting
3306 Donna Drive
Carlsbad, CA  92008
877-214-2980 (Voice & Fax)
Website:  www.MoranTechnology.com
*****************************************************************


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Monroe
Sent: Tuesday, August 05, 2008 7:32 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] mobile POS system

Does anyone out there support mobile POS systems with PCI compliance? If 
so, what systems are you running, how do you handle the wireless 
networking, and what restrictions do you have on it?

I have all of the official PCI guidelines, it just seems that wireless 
and pci do not really mix.

Thank You,

Mark Monroe

Current thread:

mobile POS system Mark Monroe (Aug 05)
- <Possible follow-ups>
- Re: mobile POS system Megan Carney (Aug 05)
- Re: mobile POS system Bill Terry (Aug 05)
- Re: mobile POS system Valdis Kletnieks (Aug 05)
- Re: mobile POS system Scott Weyandt (Aug 05)
- Re: mobile POS system Ellen Smout (Aug 05)
- Re: mobile POS system Memisyazici, Aras (Aug 06)
- Re: mobile POS system Mark Monroe (Aug 06)