Educause Security Discussion mailing list archives
Re: On-Campus Credit Card Transactions
From: John Ladwig <John.Ladwig () SO MNSCU EDU>
Date: Wed, 21 Mar 2012 14:12:15 +0000
In our system, we have part-time PCI DSS expertise in our system office Information Security group. We're involved in PCI compliance support and consulting, coordinate special network and firewall engineering, and contract for QSA services. We have also developed some compliance-support materials for merchant use, because we find that actual merchant staff, as well as campus finance and IT leadership, have a pretty hard time working with just the SAQ requirements. We established a systemwide contract for ASV scanning via a SaaS offering for use by merchants across our system, and we offer special advice and configuration help for using our vulnerability management system in merchant compliance efforts. As far as on-premise concessionaires, we have got almost all of them moved off to their own ISP services, so we don't have a level-1 service provider obligation to *their* PCI compliance problem. "Moved off" means, last time we got a QSA opinion, that there are no campus-owned electronics in the merchant's cardholder data environment. We will offer dry copper or dark fiber from onsite locations to a convenient demarc/POP where the ISP connects up to the concessionaire. Hope that helps some. -jml From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kimberly Heimbrock Sent: Wednesday, March 21, 2012 8:37 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] On-Campus Credit Card Transactions In a related question... curious to know about any .edu's that now have a dedicated PCI office and/or resources that work toward PCI compliance? Seems to be a growing trend to set up a PCI office that is dedicated (and supported by executive leadership). Also - how are external partners such as food service, bookstores, sports arenas, etc. encouraged and/or forced to comply since they are typically separate entities but are most often using university networks? Thanks in advance for your replies. Kim Heimbrock Director, IT Policy and Compliance Northern Kentucky University (859) 572-5139 heimbrockk () nku edu<mailto:heimbrockk () nku edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Christopher Hickernell Sent: Wednesday, March 21, 2012 9:06 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] On-Campus Credit Card Transactions All of our credit card machines have dedicated phone lines for processing payments. Locations such as the book store, where the credit card reader is integrated into the POS, the transactions are sent through a server in a secluded network before being processed. This server is maintained by the POS vendor and is not connected to the University's network. Payments that are generated by Housing or Student Accounts for tuition, room, board, etc. are off-loaded to TouchNet for processing. TouchNet only receives the payment details from our systems. They are responsible for acquiring the CC number from the user, processing the payment, and then returning the results to our systems-so no credit card number is ever acquired by an on campus system and never traverses our network. Christopher Hickernell, CCNA, MCSE Network Support Specialist, ResNet Manager Clarion University of Pennsylvania Center for Computing Services G-13 Still Hall, Clarion, PA 16214 chickernell () clarion edu<mailto:chickernell () clarion edu> | 814.393.2218 "To be a long-term success, you have to have failures. People who are working near their limit make mistakes and take risk." ~Gerry McCartney, Purdue University From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Robert Yoka Sent: Monday, March 19, 2012 6:49 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] On-Campus Credit Card Transactions I have noticed from some of the EDUCAUSE archives that there are some institutions who have the policy of disallowing the storage, processing, or transmission of credit card information for any system on their network. For those who have been successful with this, how are you enabling credit card transactions on-campus at places like the bookstore, cafes, or any other point-of-sale? -- Robert J. Yoka Information Security Administrator Information Technology York College of Pennsylvania 441 Country Club Road York, PA 17403 Email: ryoka () ycp edu<mailto:ryoka () ycp edu> Voice: 717-815-1784 Cell: 717-577-0737 This information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies.
Current thread:
- On-Campus Credit Card Transactions Robert Yoka (Mar 19)
- Re: On-Campus Credit Card Transactions Solem, Vik P. (Mar 20)
- Re: On-Campus Credit Card Transactions Christopher Hickernell (Mar 21)
- Re: On-Campus Credit Card Transactions Kimberly Heimbrock (Mar 21)
- Re: On-Campus Credit Card Transactions John Ladwig (Mar 21)
- Re: On-Campus Credit Card Transactions Aaron Hockett (Mar 21)
- Re: On-Campus Credit Card Transactions Kimberly Heimbrock (Mar 21)