Educause Security Discussion mailing list archives
Re: PCI compliance on a university network
From: Michael Johnson <mjohnson () COMPLYGUARDNETWORKS COM>
Date: Tue, 22 Dec 2009 06:23:07 -0600
We are a QSA that has addressed your scoping question at least once a week from an educational institution or municipality. With all respect to you finance department for being aware and working with you on PCI, they are not security folks. I applaud your seeking other input. Just a couple of points to stir things up. Using a Gateway (CashNet, AuthNet or other) does not remove any institutions responsibility for being PCI Compliant. A virtual terminal or a gateway can reduce scope. It is a near fatal error to rely on the gateway to provide your institution coverage for PCI. It is the same for the argument of tokenization or encryption. To quote Troy Leach from the PCI Councel: "There is no silver bullet". What is the level of documentation you have on the system? Identifying all access points are critical. How are you monitoring the network for rogue devices (such as you highlighted by a club using university resources)? How are you quarantining? You make no mention of acceptable use policy. (I suggest you look at this listserve archive to find some of the strings on this subject.) A solid student and faculty signed acceptable use policy will help deter wrongful activities (or at least give you the premise to legally pursue perps). Finally, it is important that someone on your team (you?) become the knowledge leader in PCI. It may make sense for the university to reach out to a QSA for a GAP conversation. This is not a shameful plug but if we can help, please let me know off line and I will respond. Otherwise, keep up the good fight. Michael Johnson ComplyGuard Networks. 516 887 0178 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greg Francis Sent: Tuesday, December 22, 2009 12:55 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI compliance on a university network I'm working with our finance offices to evaluate our PCI compliance levels on our network. The documentation I have from them doesn't adequate define the "cardholder data environment." For a couple of our areas where we do credit card transactions, we isolate the network traffic for those POS terminals using VLANs and then they do encrypted traffic across the Internet to a payment vendor. This includes places like our food services vendor and our bookstore. However, we also do on demand credit card cashiering sites using CashNet. Those sites can pop up throughout the network and we use PCI compliant devices and CashNet is PCI compliant as well. We actually went with CashNet in the hopes to avoid the need to be internally PCI compliant since that effectively outsources credit card processing (or so my finance office told me). It ends up that we own at least one server that does direct credit card processing (Blackbooard Transaction Server) which has the finance office understanding that we have to be PCI compliant internally. As I look at this though, I'm wondering just how much of our network has to be compliant? For example, if we don't do anything with credit cards on the residence hall network and there is a firewall between it and the administrative network, does the student network have to be PCI compliant? What if a club sets up a CashNet cashiering site that's setup in one of the residence halls for the weekend? What if we create a VLAN for that cashiering site in the residence hall network? As another example, since we use Active Directory for authentication, do all AD domain controllers automatically fall in the cardholder data environment? What if it's a read-only DC? The scope of areas that require PCI compliance feels significant. I'm wondering how other schools are handling PCI compliance from the IT side? Thanks, Greg Greg Francis Director, CCNSS Gonzaga University francis () gonzaga edu 509-313-6896
Current thread:
- PCI compliance on a university network Greg Francis (Dec 21)
- <Possible follow-ups>
- Re: PCI compliance on a university network Gary Dobbins (Dec 22)
- Re: PCI compliance on a university network James R. Pardonek (Dec 22)
- Re: PCI compliance on a university network Michael Johnson (Dec 22)
- Re: PCI compliance on a university network Flynn, Gerald (Dec 22)
- Re: PCI compliance on a university network Flynn, Gerald (Dec 22)
- Re: PCI compliance on a university network John Ladwig (Dec 22)
- Re: PCI compliance on a university network Daniel Adinolfi (Dec 22)
- Re: PCI compliance on a university network Paul Kendall (Dec 22)
- Re: PCI compliance on a university network HALL, NATHANIEL D. (Dec 22)
- Re: PCI compliance on a university network Flynn, Gerald (Dec 22)
- Re: PCI compliance on a university network Joel Rosenblatt (Dec 22)
- Re: PCI compliance on a university network Allison Dolan (Dec 22)
- Re: PCI compliance on a university network Flynn, Gerald (Dec 22)
(Thread continues...)