Educause Security Discussion mailing list archives
Re: PCI - Third party vendors
From: Hendra Hendrawan <hendra () YORKU CA>
Date: Thu, 24 Jul 2014 17:15:46 -0400
Hi Craig, I second Brad's point on the fact the coffee shop owner is responsible. Specifically, they are responsible for filing the compliance paper work with their bank. NIU on the other hand should be concerned with the university's reputation in the case of a breach to cardholder data (CHD). I think it is important to ensure that the merchant understand the service agreement. For instance, the connection provided is not PCI compliance, etc. Hopefully, they will take it seriously and consider the security of the payment channels. On the good side, most pinpads are equipped with an encryption system. Your network may not be compliance but the traffic containing CHD is secure. Contact me offline if you need more info. Regards, Hendra Hendrawan ? Senior Security Analyst Information Security University Information Technology (UIT) YORK UNIVERSITY 040 Steacie Building ? 4700 Keele Street Toronto ON ? Canada M3J 1P3 T 416.736.2100 ext 22317 F 416.736.5830 hendra () yorku ca ? www.yorku.ca York UIT will NEVER send unsolicited requests for passwords or other personal information via email. Messages requesting such information are fraudulent and should be deleted. The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> wrote on 24-07-2014 04:50:08 PM:
From: Brad Judy <brad.judy () CU EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Date: 24-07-14 04:50 PM Subject: Re: [SECURITY] PCI - Third party vendors Sent by: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> If they hold the merchant account, and they are treating your network like the internet (untrusted, public network), then they are responsible for ensuring both their compliance and that their data is properly protected before reaching your network. However, if they are not treating your network like the public internet, then you could be considered a PCI service provider to them and you would need an agreement about who handles what aspects of security and would have to figure out your side of PCI compliance. These arrangements can be fairly simple if you are just their ISP and not managing their internal networking. They would typically have their own switch and SOHO type firewall to segment themselves from your network, only sending out the encrypted connection to the payment gateway/processor. If you had a big chain coming on site, they would likely have done this approach before. That said, a local coffee shop might not understand PCI-DSS and might not have a plan like that. Brad Judy Director of UIS Security University Information Systems University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu [cid:8B31C7DD-0324-46B9-83BC-2307D4D96284] From: <Drake>, Craig <c-drake () NEIU EDU<mailto:c-drake () NEIU EDU>> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU< mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Thursday, July 24, 2014 2:30 PM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU< mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: [SECURITY] PCI - Third party vendors We have a new coffee shop going into our library. They are completely run by an external entity not associated with the university. They want to connect their terminals to our university network (possibly wireless) to transmit their credit card transactions. What do we need to be concerned with in terms of PCI compliance with them running this through our networks? Thank you, -Craig Craig Drake University Technology Services Northeastern Illinois University 5500 North St. Louis Avenue, Chicago, IL 60625 Phone: (773) 442-4386 Email: C-Drake () neiu edu<mailto:C-Drake () neiu edu> www.neiu.edu<http://www.neiu.edu> [http://homepages.neiu.edu/~markdep/images/neiu_wordmark_color_email.png
]
[attachment "5C9580BB-3DDF-4A51-A98A-22396925DFA5[12].png" deleted by Hendra Hendrawan/fs/YorkU]
Current thread:
- PCI - Third party vendors Drake, Craig (Jul 24)
- Re: PCI - Third party vendors Brad Judy (Jul 24)
- Re: PCI - Third party vendors Hendra Hendrawan (Jul 24)
- Re: PCI - Third party vendors Mike Chapple (Jul 24)
- Re: PCI - Third party vendors Roger A Safian (Jul 24)
- Re: PCI - Third party vendors Christopher Jones (Jul 24)
- Re: PCI - Third party vendors Kobezak, Philip (Jul 24)
- Re: PCI - Third party vendors T. Shayne Ghere (Jul 24)
- Re: PCI - Third party vendors Shamblin, Quinn (Jul 25)
- Re: PCI - Third party vendors Bruce Curtis (Jul 29)
- Re: PCI - Third party vendors Christopher Jones (Jul 24)
- Re: PCI - Third party vendors Brad Judy (Jul 24)
- Re: PCI - Third party vendors Mike Cunningham (Jul 25)
- Re: PCI - Third party vendors Blake Penn (Jul 25)