Educause Security Discussion mailing list archives
Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution?
From: Kevin Reedy <KReedy () EXCELSIOR EDU>
Date: Mon, 22 Feb 2016 12:24:15 -0500
We are using a hosted pay page and my understanding is that makes us SAQ-A
not SAQ-A Ep or C or D. We are tokenizing everything, neither our servers
or our network ever sees the CC# in any way shape or form. We bounce the
token off our service provider and they handle the transaction for us. We
are strictly a card not present merchant for PCI purposes.
Regarding cellular networks, I agree they are as public as the internet
itself, but it depends on the solution you are using. We use a square
model, whereby the CC reader encrypts the data before it even hits the
iPad, thereby removing us from the transaction altogether. The iPad or
iPhone can't access or store the number, the only one that can decrypt it
is the vendor.
-Kevin
From: David Sheryn <dsheryn () LONDON EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU,
Date: 02/22/2016 11:17 AM
Subject: Re: [SECURITY] Anyone have a PCI/DSS 3.1 Compliant Unattended
Payment Terminal Solution?
Sent by: The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
Thanks, Kevin.
My understanding was that if your E2EE solution was 'in hardware', such
that you, the merchant, had no access to the encryption/decryption keys,
then that could take your infrastructure out-of-scope. But if it's a
software solution, such that you, the merchant, did (potentially) have
access to the encryption/decryption keys (e.g. in a web-app running on a
local PC), then it didn't.
But maybe I've misunderstood that.
Regards
--
David Sheryn | Information Security Specialist | Information Technology.
London Business School | Regent's Park | London NW1 4SA | United Kingdom.
Switchboard +44 (0)20 7000 7000 | Direct line +44 (0)20 7000 7776
www.london.edu | London experience. World impact.
-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Reedy
Sent: 22 February 2016 15:46
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Anyone have a PCI/DSS 3.1 Compliant Unattended
Payment Terminal Solution?
One point of clarification:
"If employees are able to enter CHD (CC#) on a customer's behalf, then all
of the infrastructure touched by the CHD, and everything connected directly
to it, is in scope for PCI compliance. Card Holder Data is very toxic,
from a PCI compliance perspective... :-/"
This really depends on how the transmission and web page are set up. I
don't know how others are doing it, but we have encryption happen at both
the transport layer (SSL), and at the application layer, inside the HTML5,
after each keystroke. The decryption happens on the service providers CDN
(E2EE) therefore taking the actual source machine out of scope (out of
scope of SAQ-D and into SAQ-A anyway). We still don't process or transmit
CHD on it, that is all handled on the service providers CDN. I guess we'd
need to know a whole lot more about the back end architecture to really
understand the data flow and offer a customized solution.
Obviously if you are talking about a self service portal with a card swipe
option everything I have said goes out the window.
-Kevin
From: David Sheryn <dsheryn () LONDON EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU,
Date: 02/22/2016 10:23 AM
Subject: Re: [SECURITY] Anyone have a PCI/DSS 3.1 Compliant
Unattended
Payment Terminal Solution?
Sent by: The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
Hi,
Like Kevin, I'm not a qualified ISA, but my understanding of the situation
is as follows:
"If the payment page is securely hosted, and the CDN is properly protected,
then a kiosk machine on your network is no different from a student user a
computer at home to make the same payment."
The difference is that if the payment is solicited by your organisation AND
you run the equipment on which you solicit the payment (or at least if your
organisation 'advertises' or 'notifies' that you are providing equipment
for the purpose of making a payment) then it is *that* which puts the kiosk
into scope for your PCI compliance. The other key difference is that the
student's own PC is likely to only have their own CHD going through it,
whereas your kiosk is likely to have multiple people's CHD going through
it, making it a more fruitful place to attack.
"This kiosk would have to be pretty tightly controlled to ensure no
physical or software key loggers are installed, and routinely malware/virus
scanned. I'd lock it down with GPO or a specialized software to ensure
integrity."
Absolutely. Or rebuild it every night with a known clean image?
"I assume there are other machines on your network where employees are able
to enter CC#, isn't this the same basic concept?"
If employees are able to enter CHD (CC#) on a customer's behalf, then all
of the infrastructure touched by the CHD, and everything connected directly
to it, is in scope for PCI compliance. Card Holder Data is very toxic,
from a PCI compliance perspective... :-/
Regards
--
David Sheryn | Information Security Specialist | Information Technology.
London Business School | Regent's Park | London NW1 4SA | United Kingdom.
Switchboard +44 (0)20 7000 7000 | Direct line +44 (0)20 7000 7776
www.london.edu | London experience. World impact.
-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Reedy
Sent: 22 February 2016 14:50
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Anyone have a PCI/DSS 3.1 Compliant Unattended
Payment Terminal Solution?
Mandi,
While admittedly no a PCI expert, I think I know it pretty well. I'm a bit
confused as to what it is you are looking for. If the payment page is
securely hosted, and the CDN is properly protected, then a kiosk machine on
your network is no different from a student user a computer at home to make
the same payment.
This kiosk would have to be pretty tightly controlled to ensure no physical
or software key loggers are installed, and routinely malware/virus scanned.
I'd lock it down with GPO or a specialized software to ensure integrity.
I assume there are other machines on your network where employees are able
to enter CC#, isn't this the same basic concept?
I guess I'm missing the part of PCI you are looking to satisfy aside from
those listed above?
-Kevin
From: Mandi Witkovsky <witkovsm () IPFW EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU,
Date: 02/18/2016 11:52 AM
Subject: [SECURITY] Anyone have a PCI/DSS 3.1
Compliant
Unattended
Payment Terminal Solution?
Sent by: The EDUCAUSE Security Constituent Group
Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
We have a strong desire by administration to provide a payment
terminal/kiosk for students to may payments. We have always had issues
providing a compliant kiosk, and in fact have stripped them out of our
environment because we don’t have the manpower to maintain it.
Is anyone using (or know of) hardware/service to outsource this
functionality?
Thanks,
mandi
This message and any attachments contain confidential Excelsior College
information intended for the specific individual and purpose. If you are
not the intended recipient, you should notify the College and delete this
message. Any disclosure, copying, distribution or inappropriate use of this
message is strictly prohibited.
This message and any attachments contain confidential Excelsior College
information intended for the specific individual and purpose. If you are
not the intended recipient, you should notify the College and delete this
message. Any disclosure, copying, distribution or inappropriate use of this
message is strictly prohibited.
This message and any attachments contain confidential Excelsior College information intended for the specific
individual and purpose. If you are not the intended recipient, you should notify the College and delete this message.
Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.
Current thread:
- Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Mandi Witkovsky (Feb 18)
- Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Bruce Curtis (Feb 19)
- Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Kevin Reedy (Feb 22)
- Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Erlenbeck, Philip (Feb 22)
- Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? David Sheryn (Feb 22)
- Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Kevin Reedy (Feb 22)
- Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? David Sheryn (Feb 22)
- Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Sprague, Randy (Feb 22)
- Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Giesige, Rich (Feb 22)
- Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Kevin Reedy (Feb 22)
- Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Brian Griffith (Feb 22)
- Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Brian Epstein (Feb 22)
- Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? David Curry (Feb 22)
- Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Giesige, Rich (Feb 22)
- Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? McClenon, Brady (Feb 22)
- <Possible follow-ups>
- Re: Anyone have a PCI/DSS 3.1 Compliant Unattended Payment Terminal Solution? Mark I. Berman (Feb 19)