Educause Security Discussion mailing list archives
Re: PCI compliance on a university network
From: Daniel Adinolfi <dra1 () CORNELL EDU>
Date: Tue, 22 Dec 2009 09:51:46 -0500
On Dec 22, 2009, at 09:12, Flynn, Gerald wrote:
6) Instead of giving people two computers, use virtual machines. Base machine will be treated as described above. A virtual machine on that machine will be used to perform non-card functions. The traffic associated with the virtual machine will have its own IP address.
I'm not too sure this would pass the scoping test. VMs are (fairly) trivial to escape from. If I were an auditor, I would not be happy with credit card transactions and out of scope usage happening on the same box. In general, we (Cornell) consider a VM to be an insufficient partitioning device. We are forcing folks to have separate hardware for their PCI-related activities. You may also want to look into pushing people to use Verifone-style card readers. For some applications, they only need to enter the credit card number once and never worry about it again. Using a telephone-based card swipe/pin-pad reduces the scope for them significantly. -Dan
Current thread:
- PCI compliance on a university network Greg Francis (Dec 21)
- <Possible follow-ups>
- Re: PCI compliance on a university network Gary Dobbins (Dec 22)
- Re: PCI compliance on a university network James R. Pardonek (Dec 22)
- Re: PCI compliance on a university network Michael Johnson (Dec 22)
- Re: PCI compliance on a university network Flynn, Gerald (Dec 22)
- Re: PCI compliance on a university network Flynn, Gerald (Dec 22)
- Re: PCI compliance on a university network John Ladwig (Dec 22)
- Re: PCI compliance on a university network Daniel Adinolfi (Dec 22)
- Re: PCI compliance on a university network Paul Kendall (Dec 22)
- Re: PCI compliance on a university network HALL, NATHANIEL D. (Dec 22)
- Re: PCI compliance on a university network Flynn, Gerald (Dec 22)
- Re: PCI compliance on a university network Joel Rosenblatt (Dec 22)
- Re: PCI compliance on a university network Allison Dolan (Dec 22)
- Re: PCI compliance on a university network Flynn, Gerald (Dec 22)
- Re: PCI compliance on a university network John Ladwig (Dec 22)
- Re: PCI compliance on a university network Crary, Greg (Dec 22)
- Re: PCI compliance on a university network Robert Ellison (Dec 22)
- Re: PCI compliance on a university network Scott Sweren (Dec 22)
(Thread continues...)