Main Nav

Are there particular topics or technologies surrounding the Payment Card Industry (PCI) standards you think need additional clarification or guidance? If so, now is your chance - and higher education's chance - to be heard! The PCI Security Standards Council is soliciting ideas for Special Interest Groups[1] for 2013. Please see Walt Conway's recent post[2] on the Treasury Institute's PCI DSS News and Information blog for instructions on how to send in your suggestions. Footnotes: [1] http://tinyurl.com/cgexk3w [2] http://tinyurl.com/6qkds5v -- Tom Davis, CISSP, CISM Chief Security Officer Public Safety and Institutional Assurance Indiana University https://protect.iu.edu/tdavis

Comments

Message from millar@mit.edu

Merchants need stronger authentication - probably two-factor. I don't know if the PCI Standards Council can address that or not. It needs to come from the payment processors. Dave -- David Millar Consultant Massachusetts Institute of Technology twitter.com/@SecurityTrot
I know this is being worked out now, but with the introduction of mobile devices with CC readers, clarification on when it's appropriate to allow them to communicate over your wireless network if they are using point to point encryption and what safe guards really need to be introduced on those networks. On Wed, 2012-07-18 at 15:25 +0000, Davis, Thomas R wrote: > Are there particular topics or technologies surrounding the Payment Card Industry (PCI) standards you think need additional clarification or guidance? If so, now is your chance - and higher education's chance - to be heard! > > The PCI Security Standards Council is soliciting ideas for Special Interest Groups[1] for 2013. Please see Walt Conway's recent post[2] on the Treasury Institute's PCI DSS News and Information blog for instructions on how to send in your suggestions. > > Footnotes: > [1] http://tinyurl.com/cgexk3w > [2] http://tinyurl.com/6qkds5v >
To add to that, also over other wifi networks, for example at trade shows. On Wed, 2012-07-18 at 10:11 -0700, David Pirolo wrote: > I know this is being worked out now, but with the introduction of mobile > devices with CC readers, clarification on when it's appropriate to allow > them to communicate over your wireless network if they are using point > to point encryption and what safe guards really need to be introduced on > those networks. > > > On Wed, 2012-07-18 at 15:25 +0000, Davis, Thomas R wrote: > > Are there particular topics or technologies surrounding the Payment Card Industry (PCI) standards you think need additional clarification or guidance? If so, now is your chance - and higher education's chance - to be heard! > > > > The PCI Security Standards Council is soliciting ideas for Special Interest Groups[1] for 2013. Please see Walt Conway's recent post[2] on the Treasury Institute's PCI DSS News and Information blog for instructions on how to send in your suggestions. > > > > Footnotes: > > [1] http://tinyurl.com/cgexk3w > > [2] http://tinyurl.com/6qkds5v > >
Hi David, This from Walt Conway regarding mobile devices: "Both MasterCard and Visa have issued their guidelines which I've written about at StorefrontBacktalk: http://storefrontbacktalk.com/securityfraud/mobile-pos-moves-forward-wit... and http://storefrontbacktalk.com/securityfraud/visa-joins-mastercard-in-relegating-pci-to-an-afterthought/." -- Tom Davis, CISSP, CISM Chief Security Officer Public Safety and Institutional Assurance Indiana University https://protect.iu.edu/tdavis
Unfortunately I don't have a subscription for full access to this article. Essentially this is saying to work with your acquirer or payment brand to make the determination on how it best fits. The confusion is that our accquirer has stated that we need to follow SAQ-cvt. The issue with this is Requirement 4, which states open public network. What about the requirements for the college private networks that this may be connecting through? Based on this doc I believe that it's a mute issue for the merchant and responsibility falls to the solution provider if the device is P2PE. The merchant would just be responsible for securing the device. https://www.pcisecuritystandards.org/documents/P2PE_%20v%201-1.pdf The other issue is requirement 5-AV software. The P2PE doc doesn't appear to address that. -David On Thu, 2012-07-19 at 10:59 +0000, Davis, Thomas R wrote: > Hi David, > > This from Walt Conway regarding mobile devices: > > "Both MasterCard and Visa have issued their guidelines which I've written about at StorefrontBacktalk: http://storefrontbacktalk.com/securityfraud/mobile-pos-moves-forward-wit... and http://storefrontbacktalk.com/securityfraud/visa-joins-mastercard-in-relegating-pci-to-an-afterthought/." >
Lowe and behold, a new SAQ for P2PE devices... https://www.pcisecuritystandards.org/documents/PCI_SAQ_P2PE-HW_v2.pdf This may answer a few of my questions. On Thu, 2012-07-19 at 09:36 -0700, David Pirolo wrote: > Unfortunately I don't have a subscription for full access to this > article. > > Essentially this is saying to work with your acquirer or payment brand > to make the determination on how it best fits. The confusion is that > our accquirer has stated that we need to follow SAQ-cvt. The issue with > this is Requirement 4, which states open public network. What about the > requirements for the college private networks that this may be > connecting through? Based on this doc I believe that it's a mute issue > for the merchant and responsibility falls to the solution provider if > the device is P2PE. The merchant would just be responsible for securing > the device. > https://www.pcisecuritystandards.org/documents/P2PE_%20v%201-1.pdf > > The other issue is requirement 5-AV software. The P2PE doc doesn't > appear to address that. > > -David > > > > On Thu, 2012-07-19 at 10:59 +0000, Davis, Thomas R wrote: > > Hi David, > > > > This from Walt Conway regarding mobile devices: > > > > "Both MasterCard and Visa have issued their guidelines which I've written about at StorefrontBacktalk: http://storefrontbacktalk.com/securityfraud/mobile-pos-moves-forward-wit... and http://storefrontbacktalk.com/securityfraud/visa-joins-mastercard-in-relegating-pci-to-an-afterthought/." > >
Well, that'll be nice for a very limited set of my merchants. *very* limited. Once you can actually buy the gear and services, that is. -jml

Recommend

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.