Educause Security Discussion mailing list archives
Re: PCI DSS compliance challenges
From: "Greene, Chip" <cgreene2 () RICHMOND EDU>
Date: Wed, 10 Jun 2009 15:18:07 -0400
We have designed our network to only pass specific service requests from each PCI server to the specific support infrastructure server through the firewalls. This, so far, has been sufficient enough to keep the central support servers out of scope. There was a great amount of effort taken to ensure the correct tcp/udp ports are identified, but it has proven to provide more benefits than just PCI Compliance. With the approach of not allowing any traffic to/from the pci servers without proper documentation, we have essentially forced the vendors (most) to provide us with justification for each port opened, in lieu of the vendor favored "permit any any". We have also been able to create accurate portology and physical layout design documents that are available for the auditors. This is a much larger undertaking for the network specialists, but well worth it. ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Flynn [flynngn () jmu edu] Sent: Wednesday, June 10, 2009 2:35 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI DSS compliance challenges Scott Weyandt wrote:
One of my colleagues is a PCI Auditor (QSA and PA-QSA certified). He continually states that you cannot over stress the importance of segregating systems that transfer or store card holder data from the rest of your network. If you do so, you greatly limit the scope of a PCI audit to that network segment and its systems. If you do not, your entire network is potentially in scope for a PCI audit.
Segmentation is certainly baked into the regulations. Even SAQ B and C levels prohibit the card handling devices from being connected to any other systems in the merchant environment. What I don't understand is how infrastructure needs are supposed to be handled. Is an organization that processes a relatively small number of cards supposed to put up redundant support infrastructure such as DNS, DHCP, AD, SMS, and AV servers? If they don't, do all the central infrastructure services come into scope? And if the central infrastructure services come into scope, does the rest of the network because of the intertwining with the infrastructure? -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- PCI DSS compliance challenges Basgen, Brian (Jun 10)
- <Possible follow-ups>
- Re: PCI DSS compliance challenges Gary Flynn (Jun 10)
- Re: PCI DSS compliance challenges Scott Weyandt (Jun 10)
- Re: PCI DSS compliance challenges Gary Flynn (Jun 10)
- Re: PCI DSS compliance challenges Brad Judy (Jun 10)
- Re: PCI DSS compliance challenges Greene, Chip (Jun 10)
- Re: PCI DSS compliance challenges Ellen Smout (Jun 10)
- Re: PCI DSS compliance challenges Basgen, Brian (Jun 10)
- Re: PCI DSS compliance challenges Gary Flynn (Jun 10)
- Re: PCI DSS compliance challenges Gary Flynn (Jun 10)
- Re: PCI DSS compliance challenges John Ladwig (Jun 10)
- Re: PCI DSS compliance challenges Ellen Smout (Jun 10)
- Re: PCI DSS compliance challenges Michael Johnson (Jun 10)
- Re: PCI DSS compliance challenges Ellen Smout (Jun 10)
- Re: PCI DSS compliance challenges Gary Flynn (Jun 10)
- Re: PCI DSS compliance challenges Greene, Chip (Jun 10)