Educause Security Discussion mailing list archives
Re: On-Campus Credit Card Transactions
From: Aaron Hockett <AHockett () WARNERPACIFIC EDU>
Date: Wed, 21 Mar 2012 07:22:41 -0700
Just to chime in on this, we are in the middle of building out a sub-network for our PCI DSS transactions. For us, making our main network PCI compliant would've been a monstrous task of which simply spending the capital to have a sub-network made more sense. We are running our PCI network w/ a SSG-5 Juniper Firewall cascaded down to HP V1910 switches w/ fiber between the buildings. Any and all computer systems or POS systems will have DHCP reservations on our DC with the DHCP scope disabled and only the permitted MAC address for the reservation allowed. I am also building out our switches to enabled DHCP snooping for the DC as well as 1-to-1/2-to-1 static MAC addressing per physical port of the machines connected. (in some cases we have to have a Netgear 5-port switch so two MAC addresses are allowed per port). All windows based machines will have patch management via the DC and WSUS as well as anti-virus management as well. The windows workstations only have the allowed website for CC transactions so no gratuitous web browsing can occur from those machines. All of this network is pumped into our SSG-5 of which runs into our SSG-140 HA firewalls and out to the internet. I won't bore anyone with the policies on the firewall per machine/POS system (as those will be different depending on the vendor) but the SSG-5 is setup with a simple Untrust and Trust grouping. The biggest thing with doing a project like this is the documentation. I've physically had the gear now for almost a week and a half and I've been not only vetting the hardware for failures, firmware updates and other netadmin duties, but also having to document each sub-screen of the firewall and the switches. In a perfect world, I would say push all CC transactions outside of your network so you don't have to deal with PCI on your network. The reality is that is quickly becoming the norm with vendors like Square and Intuit offering processing on iPad and Android tablets of which even if it communicates over a wireless network, the encrypted traffic and actual transaction takes place offsite. Good luck everyone. -Aaron Hockett <http://www.warnerpacific.edu/> mysteries made known Aaron Hockett Network Systems and Securities Manager Warner Pacific College 2219 SE 68th Ave. <http://maps.yahoo.com/py/maps.py?Pyt=Tmap&addr=2219+SE+68th+Ave.&csz=Po rtland%2C+OR+97215&country=us> Portland, OR 97215 <http://maps.yahoo.com/py/maps.py?Pyt=Tmap&addr=2219+SE+68th+Ave.&csz=Po rtland%2C+OR+97215&country=us> ahockett () warnerpacific edu www.warnerpacific.edu <http://www.warnerpacific.edu/> tel: fax: 503-517-1203 503-517-1352 This message is intended for the sole use of the individual to whom it is addressed. It may contain information that is privileged, confidential or exempt from disclosure under applicable laws. If you are not the intended addressee you are hereby notified that you may not use, copy, disclose, or distribute to anyone this message or any information contained within this message. If you have received this message in error, please immediately advise the sender by replying to this email and delete this message. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Christopher Hickernell Sent: Wednesday, March 21, 2012 6:06 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] On-Campus Credit Card Transactions All of our credit card machines have dedicated phone lines for processing payments. Locations such as the book store, where the credit card reader is integrated into the POS, the transactions are sent through a server in a secluded network before being processed. This server is maintained by the POS vendor and is not connected to the University's network. Payments that are generated by Housing or Student Accounts for tuition, room, board, etc. are off-loaded to TouchNet for processing. TouchNet only receives the payment details from our systems. They are responsible for acquiring the CC number from the user, processing the payment, and then returning the results to our systems-so no credit card number is ever acquired by an on campus system and never traverses our network. Christopher Hickernell, CCNA, MCSE Network Support Specialist, ResNet Manager Clarion University of Pennsylvania Center for Computing Services G-13 Still Hall, Clarion, PA 16214 chickernell () clarion edu | 814.393.2218 "To be a long-term success, you have to have failures. People who are working near their limit make mistakes and take risk." ~Gerry McCartney, Purdue University From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Robert Yoka Sent: Monday, March 19, 2012 6:49 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] On-Campus Credit Card Transactions I have noticed from some of the EDUCAUSE archives that there are some institutions who have the policy of disallowing the storage, processing, or transmission of credit card information for any system on their network. For those who have been successful with this, how are you enabling credit card transactions on-campus at places like the bookstore, cafes, or any other point-of-sale? -- Robert J. Yoka Information Security Administrator Information Technology York College of Pennsylvania 441 Country Club Road York, PA 17403 Email: ryoka () ycp edu Voice: 717-815-1784 Cell: 717-577-0737 This information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies.
Current thread:
- On-Campus Credit Card Transactions Robert Yoka (Mar 19)
- Re: On-Campus Credit Card Transactions Solem, Vik P. (Mar 20)
- Re: On-Campus Credit Card Transactions Christopher Hickernell (Mar 21)
- Re: On-Campus Credit Card Transactions Kimberly Heimbrock (Mar 21)
- Re: On-Campus Credit Card Transactions John Ladwig (Mar 21)
- Re: On-Campus Credit Card Transactions Aaron Hockett (Mar 21)
- Re: On-Campus Credit Card Transactions Kimberly Heimbrock (Mar 21)