Educause Security Discussion mailing list archives
Re: PCI and common access computers
From: Patrick Laughran <plaughran () FRAMINGHAM EDU>
Date: Thu, 25 Mar 2010 10:07:16 -0400
The exact wording from requirement 9.1.2 of the current PCI DSS is "Restrict physical access to publicly accessible network jacks". This is taken from self-assessment questionairre "C". I'm not sure if this also is within scope for "B". -P ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Zach Jansen [zjanse20 () CALVIN EDU] Sent: Thursday, March 25, 2010 10:00 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI and common access computers Are you saying that because people could buy stuff with credit cards from these common access computers they need to be PCI compliant? This argument makes no sense to me, customer computers are not in scope for PCI and I believe these would have to be considered customer computers unless your employees are using them to store, process, or transmit transactions in the performance of their duties with the university. I would separate them so they don't have access to your internal card holder networks. Like any other machine in the world, they should have access to the external public facing side. However, I'm certainly no authority on PCI, you should confirm your setup with your merchant bank, or QSA. They should be able to answer that for you after learning all the details of your setup. Zach -- Zach Jansen Information Security Officer Calvin College Phone: 616.526.6776 Fax: 616.526.8550
On 3/25/2010 at 9:45 AM, in message
<08F275DE6ECE694B9239496100EFAB6F065B320D7F () IT-EXMBX1 ad jmu edu>, "Flynn, Gary" <flynngn () JMU EDU> wrote:
It has been suggested that these types of computers that people could use to perform credit card transactions may be in-scope for PCI compliance requirements. Anyone heard anything like that? I don't see how it could ever work as you couldn't restrict the access to the credit card requesting sites because they could be anywhere. And you really couldn't reliably prevent people from typing them either.
Current thread:
- PCI and common access computers Flynn, Gary (Mar 25)
- <Possible follow-ups>
- Re: PCI and common access computers Chris Green (Mar 25)
- Re: PCI and common access computers Zach Jansen (Mar 25)
- Re: PCI and common access computers Patrick Laughran (Mar 25)
- Re: PCI and common access computers Ewing, Ashley (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Patricia Vendt (Mar 25)
- Re: PCI and common access computers Patricia Vendt (Mar 25)
- Re: PCI and common access computers Blake Penn (Mar 25)
- Re: PCI and common access computers Basgen, Brian (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)
- Re: PCI and common access computers Mayne, Jim (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)
(Thread continues...)