Re: Credit Card Authorization

[Chad McDonald <chad.mcdonald () GCSU EDU>]

For those of you not on the CIO listserve, the following may be of interest:



NACUBO is sponsoring a webcast on this very topic next Tuesday, May 24.  See
http://www.nacubo.org/x6156.xml
Afterward, we hope to formulate a more comprehensive strategy.

Don

______________________________________

Don Volz
Interim Director, Technology Resources
Texas State University-San Marcos
Email:  <mailto:don.volz () txstate edu> don.volz () txstate edu
Voice: 512-245-2501
FAX: 512-245-8597



  _____

From: The EDUCAUSE CIO Constituent Group Listserv
[mailto:CIO () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Argo
Sent: Tuesday, May 17, 2005 10:16 AM
To: CIO () LISTSERV EDUCAUSE EDU
Subject: [CIO] Cardholder Information Security Program (CISP) Compliance


Recently we received a payment card industry (PCI) self-assessment
questionnaire to complete in demonstrating our compliancy with CISP.  I am
interested in hearing from others who have been involved with this
compliance issue and what methods you used to meet compliancy. What
qualified scan vendor are you using and how did you determine that choice?
Here is some information about the program:

CISP compliance is required of all merchants and service providers that
store, process, or transmit Visa cardholder data.  The program applies to
all payment channels, including retail (brick-and-mortar), mail/telephone
order, and e-commerce. To achieve compliance with CISP, merchants and
service providers must adhere to the Payment Card Industry (PCI) Data
Security Standard, which offers a single approach to safeguarding sensitive
data for all card brands.  The standard is a result of a collaboration
between Visa and MasterCard and is designed to create common industry
security requirements, incorporating the CISP requirements.

It appears that the Payment Card Industry Data Security Standard as of
January 2005 has been adopted as a joint standard for all the credit card
companies.  Also as part of the compliancy includes running internal and
external network vulnerability scans at least quarterly.  Additionally the
external vulnerability scans must be performed by a scan vendor qualified by
the payment card industry.




Thanks!

Mike Argo
Security and Compliance Officer

Information Technology Services
Mississippi State University
mikeargo () its msstate edu
Phone: 662-325-9311
Fax: 662-717-4011

Thanks,
Chad McDonald, CISSP
Chief Information Security Officer
Georgia College & State University
478.445.4473  Office
478.454.8250 Cell
478.445.1202 Fax


  _____

From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chad McDonald
Sent: Thursday, May 19, 2005 12:56 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Credit Card Authorization


We are looking for recomendations for vendors that provide credit card
services, particularly in relations to university alumni.  The solutions
that we have been presented with to date require that credit card
information be stored on local resources, a practice that makes me
particularly wary.  If any of your institutions have had success in
implementing an alumni oriented portal or donation system that securely
authorizes credit cards and does not store any credit information locally, I
would appreciate any information that you could provide.

Thanks,
Chad McDonald, CISSP
Chief Information Security Officer
Georgia College & State University
478.445.4473  Office
478.454.8250 Cell
478.445.1202 Fax

********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.