Re: PCI Wireless Question for other colleges/universities

[Kevin Reedy <KReedy () EXCELSIOR EDU>]

Eric,

This is the exact discussion we had internally.  Counsel felt the
definition of a service provider was narrow enough to exclude the transport
layer.

I will admit after re-reading the word 'transmission' is right in there,
and that does give one pause.  Before I re-read from that angle I was
looking at a PCI service provider the same way I look at a HIPAA covered
entity.  You either are or you aren't, and there is no grey area.  After
hearing other opinions and re-reading the definition it certainly leaves
room for a bit of grey area.

I don't think it will change our stance, we do have one vendor using their
own Wifi equipment, which we connected at our demarc for them, and have
interpreted that as 'Excelsior is not a service provider'.  Interestingly I
did not see this contract, so I'm going to ask for a copy to review and see
if there is any strange language in it that concerns me.

-Kevin



From:   Eric Lukens <eric.lukens () UNI EDU>
To:     SECURITY () LISTSERV EDUCAUSE EDU,
Date:   01/26/2016 02:42 PM
Subject:        Re: [SECURITY] PCI Wireless Question for other
            colleges/universities
Sent by:        The EDUCAUSE Security Constituent Group Listserv
            <SECURITY () LISTSERV EDUCAUSE EDU>



DISCLAIMER, I am not a lawyer or a QSA, this is just my assessment.

I think this is an area where there is some disagreement. Some QSAs
seem to indicate that once you accept CCs, you also need to "police"
other entities that are affiliated with you in some way even if you
offer them no services other than internet connectivity or leased
space.

Clearly, if you did not accept CCs at all, you have no contract with
the banks, nor card brands and shouldn't be held liable for
essentially being an ISP or a landlord for a vendor.

So, if you do accept CCs somewhere else on campus, does that liability
change?

I suspect much of the language created by the PCI Council is
purposefully vague, simply because trying to define it narrowly would
create loopholes that would be used to bypass requirements. As such,
the language is written broadly and you have to assess the risk
yourself. I suspect that requirements on monitoring service providers
and vendors is written broadly because of all the convoluted scenarios
that can occur. Some of these businesses out there have hundreds of
LLCs and shell companies to isolate risk. I suspect the PCI Council is
making sure that risk goes back to where it belongs. Unfortunately, we
can get caught in the net.

Of course, any QSA can disagree and force you to do whatever. And
remember, if the banks/card brands want to make you liable in a breach
scenario, they will find a way.

-Eric

On Tue, Jan 26, 2016 at 1:11 PM, Carroll, Tim <Carrolltd () roanestate edu>
wrote:
> Kevin,
>
> With regards to you question about PCI liability for a vendor, it is my
belief that we would be liable only if they use my network to transmit
credit card data.  My assumption could be wrong, but I would rather err on
the side of caution.
> Regards,
>
> Tim Carroll
> Assistant Vice President and Chief Information Officer
> Information Technology
> Roane State Community College
> carrolltd () roanestate edu
> 865-882-4560
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Reedy
> Sent: Monday, January 25, 2016 4:09 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] PCI Wireless Question for other
colleges/universities
> Hi Tim,
>
> I'm a little curious why you feel you have any PCI burden with a vendor
that is not affiliated?  Any exposure would be on them, with possible
backlash being negative press for you because of selecting them.
> I don't see how the PCI burden transfers from vendor to host, that would
be like an ISP being held responsible for a breach that occurred over the
internet.
> -Kevin
>
>
>
> From:"Carroll, Tim" <Carrolltd () ROANESTATE EDU>
> To:SECURITY () LISTSERV EDUCAUSE EDU,
> Date:01/25/2016 03:53 PM
> Subject:Re: [SECURITY] PCI Wireless Question for other
>             colleges/universities
> Sent by:The EDUCAUSE Security Constituent Group Listserv
>             <SECURITY () LISTSERV EDUCAUSE EDU>
>
>
>
> The previous advice you received is all correct.  The only thing I would
add is how you handle vendors who come on campus temporarily and want to
use your network to process their payments.  We handled this by requiring
them (by policy and language on contracts) to use their own networks such
as a cellular wireless point.
> Regards,
>
> Tim
> Tim Carroll
> Assistant Vice President and Chief Information Officer Information
Technology Roane State Community College carrolltd () roanestate edu
> 865-882-4560
>
> From: The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Paul Chauvet
> Sent: Monday, January 25, 2016 1:05 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] PCI Wireless Question for other colleges/universities
>
> Hello all,
>
> I’m wondering how other colleges/universities handled a specific PCI
requirement, 11.1.2, regarding unauthorized wireless access points.  We
have a few areas with payments going over wireless, but even if we changed
things to not use wireless for payments, it appears that this requirement
is applicable.
> We have taken appropriate steps to secure the terminals/computers, and
had a skilled penetration testing company that was completely unable to
break through to the payment terminals (or even through the network
segmentation).  We also have scanning in place that can detect rogue access
points.  I believe that the systems are secure but security isn’t
compliance.
> In this day and age where anyone can turn their phone into an access
point, there are always a number of them, most of them being transient.
What have other colleges done when faced with these situations?  We’re not
a huge school that can afford the staff that it would take to go hunt the
transient access points down.
> I’d appreciate anything you can share on- or off-list about this
scenario.
> Thanks,
>
> Paul Chauvet
> Information Security Officer
> State University of New York at New Paltz chauvetp () newpaltz edu
> 845-257-3828
> emlogo
>
>
>
>
>
> This email is intended for the addressee and may contain privileged
information. If you are not the addressee, you are not permitted to use or
copy this email or its attachments nor may you disclose the same to any
third party. If this has been sent to you in error, please delete the email
and notify us by replying to this email immediately.
> This message and any attachments contain confidential Excelsior College
information intended for the specific individual and purpose. If you are
not the intended recipient, you should notify the College and delete this
message. Any disclosure, copying, distribution or inappropriate use of this
message is strictly prohibited.
> ________________________________
>
> This email is intended for the addressee and may contain privileged
information. If you are not the addressee, you are not permitted to use or
copy this email or its attachments nor may you disclose the same to any
third party. If this has been sent to you in error, please delete the email
and notify us by replying to this email immediately.



--
Eric C. Lukens
IT Security Compliance & Policy Analyst
ITS-Information Security
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
(319) 273-7434
http://www.uni.edu/elukens/

"Security is a process, not a product."  Bruce Schneier

This message and any attachments contain confidential Excelsior College information intended for the specific 
individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. 
Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.