Educause Security Discussion mailing list archives

Re: PCI DSS compliance challenges

From: "Greene, Chip" <cgreene2 () RICHMOND EDU>
Date: Wed, 10 Jun 2009 15:18:07 -0400

We have designed our network to only pass specific service requests from each PCI server to the specific support 
infrastructure server through the firewalls.  This, so far, has been sufficient enough to keep the central support 
servers out of scope.  There was a great amount of effort taken to ensure the correct tcp/udp ports are identified, but 
it has proven to provide more benefits than just PCI Compliance.  With the approach of not allowing any traffic to/from 
the pci servers without proper documentation, we have essentially forced the vendors (most) to provide us with 
justification for each port opened, in lieu of the vendor favored "permit any any".  We have also been able to create 
accurate portology and physical layout design documents that are available for the auditors.  This is a much larger 
undertaking for the network specialists, but well worth it.

   

________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Flynn 
[flynngn () jmu edu]
Sent: Wednesday, June 10, 2009 2:35 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI DSS compliance challenges

Scott Weyandt wrote:

One of my colleagues is a PCI Auditor (QSA and PA-QSA certified).  He
continually states that you cannot over stress the importance of segregating
systems that transfer or store card holder data from the rest of your
network.  If you do so, you greatly limit the scope of a PCI audit to that
network segment and its systems.  If you do not, your entire network is
potentially in scope for a PCI audit.



Segmentation is certainly baked into the regulations. Even SAQ
B and C levels prohibit the card handling devices from being
connected to any other systems in the merchant environment.

What I don't understand is how infrastructure needs are supposed
to be handled. Is an organization that processes a relatively
small number of cards supposed to put up redundant support
infrastructure such as DNS, DHCP, AD, SMS, and AV servers?
If they don't, do all the central infrastructure services
come into scope? And if the central infrastructure services
come into scope, does the rest of the network because of the
intertwining with the infrastructure?

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Current thread:

PCI DSS compliance challenges Basgen, Brian (Jun 10)
- <Possible follow-ups>
- Re: PCI DSS compliance challenges Gary Flynn (Jun 10)
- Re: PCI DSS compliance challenges Scott Weyandt (Jun 10)
- Re: PCI DSS compliance challenges Gary Flynn (Jun 10)
- Re: PCI DSS compliance challenges Brad Judy (Jun 10)
- Re: PCI DSS compliance challenges Greene, Chip (Jun 10)
- Re: PCI DSS compliance challenges Ellen Smout (Jun 10)
- Re: PCI DSS compliance challenges Basgen, Brian (Jun 10)
- Re: PCI DSS compliance challenges Gary Flynn (Jun 10)
- Re: PCI DSS compliance challenges Gary Flynn (Jun 10)
- Re: PCI DSS compliance challenges John Ladwig (Jun 10)
- Re: PCI DSS compliance challenges Ellen Smout (Jun 10)
- Re: PCI DSS compliance challenges Michael Johnson (Jun 10)
- Re: PCI DSS compliance challenges Ellen Smout (Jun 10)
- Re: PCI DSS compliance challenges Gary Flynn (Jun 10)
- Re: PCI DSS compliance challenges Greene, Chip (Jun 10)