Educause Security Discussion mailing list archives
Re: Merchant services credit card project
From: Theresa M Rowe <rowe () OAKLAND EDU>
Date: Mon, 27 Jun 2005 08:43:29 -0400
The wording that is on the cardholder site, and from our scanning vendor, is any system that "stores, processes or transmits" cardholder data. That was problem 1 - finding all of those systems on our campus. The Verifones were not included. Once we found (or continue to find) the systems, we were able to go through the questions. Our firewalls set-up seems to be enough to be able to answer yes to the questions. We have a firewall at the Internet gateway, and we split into three networks (ResNet, general campus and smaller administrative) with a firewall at the head of each. Fortunately, so far, all of the systems / servers have been on the administrative network. The question just asks if NAT is used, and we just finished that project, so we'll answer YES - we aren't going to dig any further. There's too much other work. The big issues for us have been verifying all the password complexity rules on all the systems involved, verifying the log management issues, getting the answers together for the router questions, looking at the applications to make sure cookies are encrypted and stuff like that. And then there's the work that the first round of scanning uncovered - even though we had paid for an external scan and audit just last year. Theresa ---- Original message ----
Date: Mon, 27 Jun 2005 07:11:51 -0500 From: Willis Marti <wmarti () TAMU EDU> Subject: Re: [SECURITY] Merchant services credit card
project
To: SECURITY () LISTSERV EDUCAUSE EDUOK. That's the definition I've been pushing. So the next
question is (also
part of the debate), what constitutes a firewall? Can it
be host based
(this was implied) or must it be a network appliance? Or,
can it be router
ACLs using the established keyword for providing basic
stateful inspection
protection?The current guidance we've received is that if the credit
card processing
system *stores* CC data, one must have an external FW. Host-
based FWs don't
do NAT. If the system only does, for example, data entry,
then a host FW may
be ok. I don't see any technical difference between a "router"
and a "firewall" if
the functionality is equivalent. Cheers, Willis Marti Associate Director for Networking Computing & Information Services Texas A&M University
Theresa Rowe Assistant Vice President University Technology Services www.oakland.edu/uts - the latest news from University Technology Services
Current thread:
- Merchant services credit card project Theresa M Rowe (Jun 24)
- <Possible follow-ups>
- Re: Merchant services credit card project Scott Genung (Jun 26)
- Re: Merchant services credit card project Willis Marti (Jun 26)
- Re: Merchant services credit card project Scott Genung (Jun 26)
- Re: Merchant services credit card project Steve Bernard (Jun 26)
- Re: Merchant services credit card project Steve Bernard (Jun 26)
- Re: Merchant services credit card project Willis Marti (Jun 27)
- Re: Merchant services credit card project Willis Marti (Jun 27)
- Re: Merchant services credit card project Theresa M Rowe (Jun 27)