Re: Merchant services credit card project

[Theresa M Rowe <rowe () OAKLAND EDU>]

The wording that is on the cardholder site, and from our
scanning vendor, is any system that "stores, processes or
transmits" cardholder data.

That was problem 1 - finding all of those systems on our
campus.  The Verifones were not included.

Once we found (or continue to find) the systems, we were
able to go through the questions.  Our firewalls set-up
seems to be enough to be able to answer yes to the
questions.  We have a firewall at the Internet gateway, and
we split into three networks (ResNet, general campus and
smaller administrative) with a firewall at the head of
each.  Fortunately, so far, all of the systems / servers
have been on the administrative network.

The question just asks if NAT is used, and we just finished
that project, so we'll answer YES - we aren't going to dig
any further.  There's too much other work.

The big issues for us have been verifying all the password
complexity rules on all the systems involved, verifying the
log management issues, getting the answers together for the
router questions, looking at the applications to make sure
cookies are encrypted and stuff like that.

And then there's the work that the first round of scanning
uncovered - even though we had paid for an external scan and
audit just last year.

Theresa

---- Original message ----
> Date: Mon, 27 Jun 2005 07:11:51 -0500
> From: Willis Marti <wmarti () TAMU EDU>
> Subject: Re: [SECURITY] Merchant services credit card
project
> To: SECURITY () LISTSERV EDUCAUSE EDU
>
>
> > OK. That's the definition I've been pushing. So the next
question is (also
> > part of the debate), what constitutes a firewall? Can it
be host based
> > (this was implied) or must it be a network appliance? Or,
can it be router
> > ACLs using the established keyword for providing basic
stateful inspection
> > protection?
> The current guidance we've received is that if the credit
card processing
> system *stores* CC data, one must have an external FW. Host-
based FWs don't
> do NAT. If the system only does, for example, data entry,
then a host FW may
> be ok.
> I don't see any technical difference between a "router"
and a "firewall" if
> the functionality is equivalent.
> Cheers,
> Willis Marti
> Associate Director for Networking
> Computing & Information Services
> Texas A&M University
Theresa Rowe
Assistant Vice President
University Technology Services
www.oakland.edu/uts - the latest news from University Technology Services