Educause Security Discussion mailing list archives

Re: PCI and common access computers

From: "Flynn, Gary" <flynngn () JMU EDU>
Date: Thu, 25 Mar 2010 11:29:49 -0400

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Zach Jansen
Sent: Thursday, March 25, 2010 10:01 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI and common access computers

Are you saying that because people could buy stuff with credit cards
from these common access computers they need to be PCI compliant? This
argument makes no sense to me, customer computers are not in scope for
PCI


These would not be customer owned computers. These would be university 
owned computers made available to customers (students, staff, faculty, 
public, whomever depending on purpose and access requirements).

 and I believe these would have to be considered customer computers

unless your employees are using them to store, process, or transmit
transactions in the performance of their duties with the university.

I would separate them so they don't have access to your internal card
holder networks. Like any other machine in the world, they should have
access to the external public facing side.

However, I'm certainly no authority on PCI, you should confirm your
setup with your merchant bank, or QSA. They should be able to answer
that for you after learning all the details of your setup.

Zach





--
Zach Jansen
Information Security Officer
Calvin College
Phone: 616.526.6776
Fax: 616.526.8550

On 3/25/2010 at 9:45 AM, in message

<08F275DE6ECE694B9239496100EFAB6F065B320D7F () IT-EXMBX1 ad jmu edu>,
"Flynn,
Gary" <flynngn () JMU EDU> wrote:

It has been suggested that these types of computers that people could

use

to perform credit card transactions may be in-scope for PCI

compliance

requirements. Anyone heard anything like that? I don't see how it

could

ever work as you couldn't restrict the access to the credit card

requesting

sites because they could be anywhere. And you really couldn't

reliably

prevent people from typing them either.

Current thread:

Re: PCI and common access computers, (continued)
- Re: PCI and common access computers Chris Green (Mar 25)
- Re: PCI and common access computers Zach Jansen (Mar 25)
- Re: PCI and common access computers Patrick Laughran (Mar 25)
- Re: PCI and common access computers Ewing, Ashley (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Patricia Vendt (Mar 25)
- Re: PCI and common access computers Patricia Vendt (Mar 25)
- Re: PCI and common access computers Blake Penn (Mar 25)
- Re: PCI and common access computers Basgen, Brian (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)
- Re: PCI and common access computers Mayne, Jim (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Blake Penn (Mar 25)
- Re: PCI and common access computers John Ladwig (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Ewing, Ashley (Mar 25)
- Re: PCI and common access computers Patrick Ouellette (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)