Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution?

["Giesige, Rich" <Rich.Giesige () OREGONSTATE EDU>]

Just an FYI I’m guessing it depends on the ISA/QSA that you work with but we were recently informed that the cellular 
network now falls into parts of SAQ C because it falls into public networks.

I really don’t understand that but one of the QSA’s that we had do an audit told us that we had to treat cellular 
communication as SAQ C.
--
Richard Giesige
IT Security Analyst
Office of Information Security
Oregon State University

"OSU staff will NEVER ask for you password.
Never email or share your password with anyone."

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Brian Griffith <griffibw () WHITMAN EDU<mailto:griffibw () WHITMAN EDU>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>>
Date: Monday, February 22, 2016 at 8:55 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution?

We've toyed around with using iPads with cellular modems for this purpose (kiosks).  Encrypted, keeps it off our 
network, sandboxed, etc.  Has anybody gone this route or have positive or negative feedback on that idea?

Thanks,

Brian W. Griffith
Information Security Officer
Whitman College
griffibw () whitman edu<mailto:griffibw () whitman edu>


On Mon, Feb 22, 2016 at 7:23 AM, David Sheryn <dsheryn () london edu<mailto:dsheryn () london edu>> wrote:
Hi,

Like Kevin, I'm not a qualified ISA, but my understanding of the situation is as follows:

"If the payment page is securely hosted, and the CDN is properly protected, then a kiosk machine on your network is no 
different from a student user a computer at home to make the same payment."

The difference is that if the payment is solicited by your organisation AND you run the equipment on which you solicit 
the payment (or at least if your organisation 'advertises' or 'notifies' that you are providing equipment for the 
purpose of making a payment) then it is *that* which puts the kiosk into scope for your PCI compliance. The other key 
difference is that the student's own PC is likely to only have their own CHD going through it, whereas your kiosk is 
likely to have multiple people's CHD going through it, making it a more fruitful place to attack.

"This kiosk would have to be pretty tightly controlled to ensure no physical or software key loggers are installed, and 
routinely malware/virus scanned. I'd lock it down with GPO or a specialized software to ensure integrity."

Absolutely.  Or rebuild it every night with a known clean image?

"I assume there are other machines on your network where employees are able to enter CC#, isn't this the same basic 
concept?"

If employees are able to enter CHD (CC#) on a customer's behalf, then all of the infrastructure touched by the CHD, and 
everything connected directly to it, is in scope for PCI compliance.  Card Holder Data is very toxic, from a PCI 
compliance perspective... :-/

Regards

--
David Sheryn | Information Security Specialist | Information Technology.
London Business School | Regent's Park | London NW1 4SA | United Kingdom.
Switchboard +44 (0)20 7000 7000<tel:%2B44%20%280%2920%207000%207000> | Direct line +44 (0)20 7000 
7776<tel:%2B44%20%280%2920%207000%207776>

www.london.edu<http://www.london.edu> | London experience. World impact.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Kevin Reedy
Sent: 22 February 2016 14:50
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution?

Mandi,

While admittedly no a PCI expert, I think I know it pretty well.  I'm a bit confused as to what it is you are looking 
for.  If the payment page is securely hosted, and the CDN is properly protected, then a kiosk machine on your network 
is no different from a student user a computer at home to make the same payment.

This kiosk would have to be pretty tightly controlled to ensure no physical or software key loggers are installed, and 
routinely malware/virus scanned.
I'd lock it down with GPO or a specialized software to ensure integrity.

I assume there are other machines on your network where employees are able to enter CC#, isn't this the same basic 
concept?

I guess I'm missing the part of PCI you are looking to satisfy aside from those listed above?

-Kevin



From:   Mandi Witkovsky <witkovsm () IPFW EDU<mailto:witkovsm () IPFW EDU>>
To:     SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>,
Date:   02/18/2016 11:52 AM
Subject:        [SECURITY] Anyone have a PCI/DSS 3.1 Compliant Unattended
            Payment Terminal Solution?
Sent by:        The EDUCAUSE Security Constituent Group Listserv
            <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>



We have a strong desire by administration to provide a payment terminal/kiosk for students to may payments.  We have 
always had issues providing a compliant kiosk, and in fact have stripped them out of our environment because we don’t 
have the manpower to maintain it.

Is anyone using (or know of) hardware/service to outsource this functionality?

Thanks,
mandi

This message and any attachments contain confidential Excelsior College information intended for the specific 
individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. 
Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.