Is PayPal in Scope for PCI...Maybe!

Everybody knows that PCI only applies to card transactions on the five major card brands (Amex, Discover, JCB, MasterCard, and Visa), right? Well, maybe not. There might be situations where PayPal transaction could be included in your PCI scope. Read on to see what I mean.

Many (although not all) PayPal accounts link back to an underlying payment card. Therefore, the PayPal transaction in many cases will trigger a transaction on the underlying Visa, MasterCard, or whatever. This situation looks to me a lot like a "high-value token" as defined by the PCI Council in their Tokenization Guidance document. Specifically, a high-value token is one that "could potentially be 'monetized' or used to generate fraudulent transactions." That definition sure sounds like a PayPal transaction to me.

The Council's guidance goes on to suggest that tokens "that can be used to initiate a transaction might be in scope for PCI DSS, even if they cannot directly be used to retrieve PAN or other cardholder data."

Combining these two thoughts -- that PayPal might be considered high-value tokens, and that high-value tokens are in scope for PCI -- leads me to ask the question: When are PayPal transactions in scope?

I explored this topic in more detail in my regular column at StorefrontBacktalk.com exploring the circumstances under which I as a QSA might consider PayPal transactions to be in scope for PCI. Like all my columns at StorefrontBacktalk, this one is free so you can click here to have a look (at least for the week or so after it is published). You might also want to read a follow-up column with more details on the Home Depot pilot program.

How will this affect your campus? I don't know. Right now, I'm mainly posing the question and I'd appreciate any feedback. There are some good comments on my column (be sure to read those, too) that generally support the concept that these transactions might be in scope.

If you have campus merchants that take PayPal, you might want to give this idea a thought when you consider your PCI scoping and compliance validation. You also should include it in your PCI training for campus merchants.

pcAnywhere Users Alert -- Patch Now!

SANS reports that Symantec has just released a document describing vulnerabilities for pcAnywhere users. You can click here to get details and a link to the document.

I know many campuses use pcAnywhere, and if that includes you and your campus, the advice is simple: patch it NOW!

SANS also reports that someone -- possibly/likely a bad guy -- has started scanning looking for services on port 5631 (used by pcAnywhere). While this is only one incident, the number of places using pcAnywhere is pretty high.

A Suggestion for Your Open Campus PCs

I was reading the latest news about City College of San Francisco administrators urging students and staff not to use their computers for sensitive purposes like online banking, when I had an idea (also see here for my earlier post). Certainly City College is not the only institution with lots of PCs available for student and staff use but without the means to protect those devices. My guess is everyone reading this blog has a similar situation on their campus.

My idea is simply to post a sign above each one something like the one above. It seems that if the institution cannot stop students from downloading malware (and who can?) or even installing malware intentionally (it could happen), then it makes sense to have some kind of warning for casual users. A good place to start might be to just tell users that if they are visiting a site that requires a password, that site likely contains some personal or financial information they might not want going to the bad guys.

The Web is a dangerous place. Maybe that should be part of everyone's education.

Computer Viruses Stole User Data...for Years

I saw an article in today's San Francisco Chronicle describing how the computers at City College may have been infected with a number of viruses. The situation is not good. The devices were sending personal data to addresses in Russia, China, and other places, and the IPs in some cases were known criminal operations. You can read about it here, and it is not pretty reading.

It isn't surprising that general purpose workstations are used by students for all kinds of purposes, including research. In visiting a lot of sites and checking assorted social networking sites, the machines can become infected. In many cases, this would be just annoying since the most that any bad guys might get would be your course schedule. But things are not that simple.

Your students (and faculty and staff and ...) also use those machines to do home banking, check credit card accounts, and do all kinds of other stuff where their credentials can be stolen and shipped off to badguys.com. And that appears to be what happened here.

Oh, by the way, it looks like it has been happening for years. That's not a typo. Years. And "tens of thousands of students."

There is a lesson here. PCI requirements for anti-virus and other protections should apply across the board. Users should be warned that the person before them may have inadvertently downloaded a virus or other malware, so don't do anything confidential or financial. We live in a dangerous world, and the Internet is a very dangerous place.

I don't know how all this will work out for City College, which is a fantastic institution. I've taken a few courses there, and the faculty is great. The big thing on this Friday 13th is to learn a lesson about the need to protect the systems your students, faculty, and staff use.

PCI Workshop Agenda is Available

The Treasury Institute has posted the agenda for the 2012 PCI Workshop on its website. You can click here to view the agenda and/or register. Once again we will begin Monday afternoon with a series of briefings on PCI developments that have a direct impact on Higher Education. The Tuesday sessions are led by your peers from schools nationwide (I'm really looking forward to several in particular). Wednesday will be mostly interactive with our expert panel and the ever-popular Information Sharing session.

Personally, I am very excited about this, the Treasury Institute's seventh (!) multi-day PCI workshop (and ninth PCI workshop overall). I also want to thank all of you who volunteered to join our faculty. I was a bit overwhelmed by the extremely high quality of people and ideas I received. Narrowing down the field to the present list was not easy. Thank you to all who volunteered or helped with agenda topic suggestions.

Please be sure to make plans to join us again in Indianapolis. The dates are April 23-25. We have a reasonably large block of rooms at the hotel, but it might be a good idea not to wait too long as I am expecting another good-sized group this year.

PCI Workshop - Last Call for Speakers!

I am finalizing the agenda for the upcoming PCI Workshop. I have some interesting schools presenting, and I'm really happy to announce that I have managed to wrangle Mike Dahn as our guest speaker. Mike is a security expert and has been closely involved with PCI DSS since the earliest days. He (together with his partner) developed and led the training for QSAs for several years, so he knows what he is talking about. Mike spoke once before a couple of years ago, and he electrified the audience. I'm sure that this year will be the same. I am also hoping to have the PCI Council back with us again.

But that is only part of the picture.

As most of you know, this is a 3-day workshop -- April 23-25, 2012 -- exclusively for Higher Education. I still need a few speakers to round out the agenda. If you are willing and able to share your experience, please let me know (wconway@403labs.com). Here are some topic areas that you have told me you would like to hear more about:

• How do I get my Micros dining system (or hotel operation) compliant?
• How can I reduce my campus' PCI scope (changing processes, networks, etc.)?
• Where does Voice-over-IP (VOIP) fit, and how does it affect my PCI scope?
• What does a dedicated payment workstation look like?
• How do other schools allocate costs across departments and secure funding for PCI compliance?
• Policies: what have other schools done to develop and implement all the policies required by PCI?
• A team presentation: What the business side needs to know about IT; What IT needs to know about the business side. Maybe with two people from different schools!?! Let me know.
• Or...just about anything you found important.

In case you need an incentive, how about this: speakers attend the workshop free, and the Treasury Institute pays your hotel expenses. About all you have to do is get yourself there.

The success of the workshop relies on schools sharing their experiences and learning with each other. Please shoot me an email or leave a comment (I moderate them, so I'll see it and it won't be published) and I'll be in touch.

I'll look forward to seeing you in April. Now after you email me with your speaking ideas, get over to the Institute's website and register!