Re: PCI - Third party vendors

["T. Shayne Ghere" <sghere () FSMAIL BRADLEY EDU>]

I agree with Roger and Chris.  The way it was explained to us, any device
that resides on your network/domain becomes your responsibility and puts it
in scope.  We have spent months separating off those segments from the rest
of the University Network.  They basically have a Virtual Terminal that
they use and it can only get to Ticketmaster or whatever other company is
accepting credit cards.



We have a PCI Emergency Response Document as to what steps we have to
follow if one of them gets hacked even if you have a signed agreement.
They are coming from your domain so the finger ultimately points back to
you, the ISP to provide logs etc.  We even confiscate the VT’s and
disconnect it from the network and turn it over to whatever agency requests
the information.



Even when they are in the PCI Scope of our network, we still require a VPN
connection from their VT’s to the processor/merchant so there are dual
layers of protection.



Wireless is strictly prohibited.  Anyone that we find accepting credit
cards on campus has both their wired/wireless credentials revoked until an
investigation is done.  There is one exception with a checkout Ipad that is
kept in the vault in our Controllers office, and there is training as to
how to operate it if they are accepting money for the University.  It
doesn’t leave the University, and there is a list of authorized users which
is very short that may check it out.



I would check with your network compliance officer at your institution.



Best of luck

Shayne



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Christopher Jones
*Sent:* Thursday, July 24, 2014 4:07 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] PCI - Third party vendors



I agree with Roger.  Your QSA will be able to provide guidance on this.  As
I understand the PCI requirements, any cardholder data transiting the
network puts it in scope.



*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *Roger A Safian
*Sent:* Thursday, July 24, 2014 2:02 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] PCI - Third party vendors



I think you want to discuss this with your QSA, but, my read, is this
brings your network into scope for PCI.  My assumption is you don’t want
this to happen.



*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *Drake, Craig
*Sent:* Thursday, July 24, 2014 3:30 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] PCI - Third party vendors



We have a new coffee shop going into our library.  They are completely run
by an external entity not associated with the university.  They want to
connect their terminals to our university network (possibly wireless) to
transmit their credit card transactions.  What do we need to be concerned
with in terms of PCI compliance with them running this through our
networks?



Thank you,

-Craig


*Craig Drake*


*University Technology Services*
Northeastern Illinois University
5500 North St. Louis Avenue, Chicago, IL 60625
Phone: (773) 442-4386
Email: C-Drake () neiu edu

*www.neiu.edu <http://www.neiu.edu>*