PCI compliance on a university network

[Greg Francis <francis () GONZAGA EDU>]

I'm working with our finance offices to evaluate our PCI compliance
levels on our network. The documentation I have from them doesn't
adequate define the "cardholder data environment."

For a couple of our areas where we do credit card transactions, we
isolate the network traffic for those POS terminals using VLANs and
then they do encrypted traffic across the Internet to a payment
vendor. This includes places like our food services vendor and our
bookstore. However, we also do on demand credit card cashiering sites
using CashNet. Those sites can pop up throughout the network and we
use PCI compliant devices and CashNet is PCI compliant as well. We
actually went with CashNet in the hopes to avoid the need to be
internally PCI compliant since that effectively outsources credit card
processing (or so my finance office told me).

It ends up that we own at least one server that does direct credit
card processing (Blackbooard Transaction Server) which has the finance
office understanding that we have to be PCI compliant internally.

As I look at this though, I'm wondering just how much of our network
has to be compliant? For example, if we don't do anything with credit
cards on the residence hall network and there is a firewall between it
and the administrative network, does the student network have to be
PCI compliant? What if a club sets up a CashNet cashiering site that's
setup in one of the residence halls for the weekend? What if we create
a VLAN for that cashiering site in the residence hall network?

As another example, since we use Active Directory for authentication,
do all AD domain controllers automatically fall in the cardholder data
environment? What if it's a read-only DC?

The scope of areas that require PCI compliance feels significant.

I'm wondering how other schools are handling PCI compliance from the
IT side?

Thanks,
Greg

Greg Francis
Director, CCNSS
Gonzaga University
francis () gonzaga edu
509-313-6896