Re: PCI DSS compliance challenges

[Scott Weyandt <scott.weyandt () MORANTECHNOLOGY COM>]

One of my colleagues is a PCI Auditor (QSA and PA-QSA certified).  He
continually states that you cannot over stress the importance of segregating
systems that transfer or store card holder data from the rest of your
network.  If you do so, you greatly limit the scope of a PCI audit to that
network segment and its systems.  If you do not, your entire network is
potentially in scope for a PCI audit.

The card holder network segmentation can be accomplished with VLANs and
appropriate firewall/ACLs.

Scott


*****************************************************************
Scott Weyandt, Ph.D.
Director, Security and Infrastructure Planning
Moran Technology Consulting
877-214-2980 (Voice & Fax)
Website:  www.MoranTechnology.com
*****************************************************************

 

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian
Sent: Wednesday, June 10, 2009 8:35 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI DSS compliance challenges

Hi Everyone,

 Our Finance department has been considering a new model of handling credit
cards on our campuses that would involve cashiering stations that track
credit card data through a desktop PC and send it over the internet.

 The interesting challenge for this model is complying with the PCI DSS. Our
perception is that these kinds of deployments are becoming fairly common in
higher-ed, so it would be interesting to hear the experiences of some other
institutions with DSS. Are you segregating card holder data networks? What
IT cost was incurred to setup a compliant environment for deployments your
institution has done?

 I welcome any responses on or off list. Thanks! :)

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
Office: 520-206-4873