Re: PCI compliance on a university network

[Gary Dobbins <dobbins () ND EDU>]

We found that the scope of requirements for compliance was so large, and ended up including so much infrastructure, as 
to be untenable in a typical university LAN.  For that reason we went with a wholly-isolated environment in order to 
keep the scope localized to a set of systems and network gear that we could "get our hands around" in terms of 
compliance.  We use a VPN concentrator and inexpensive SOHO devices with nailed-up VPN tunnels for the POS stations, so 
the payment card network ends up being virtual, and again can be seen as wholly-contained in the special environment.

You can find a writeup of this approach in the form of a few Educause presentations by Mike Chapple (ND) and Jane Drews 
(Iowa) at www.educause.edu.

Hope that helps.



> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greg Francis
> Sent: Tuesday, December 22, 2009 12:55 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] PCI compliance on a university network
>
>
> I'm working with our finance offices to evaluate our PCI compliance
> levels on our network. The documentation I have from them doesn't
> adequate define the "cardholder data environment."
>
> For a couple of our areas where we do credit card transactions, we
> isolate the network traffic for those POS terminals using VLANs and
> then they do encrypted traffic across the Internet to a payment
> vendor. This includes places like our food services vendor and our
> bookstore. However, we also do on demand credit card cashiering sites
> using CashNet. Those sites can pop up throughout the network and we
> use PCI compliant devices and CashNet is PCI compliant as well. We
> actually went with CashNet in the hopes to avoid the need to be
> internally PCI compliant since that effectively outsources credit card
> processing (or so my finance office told me).
>
> It ends up that we own at least one server that does direct credit
> card processing (Blackbooard Transaction Server) which has the finance
> office understanding that we have to be PCI compliant internally.
>
> As I look at this though, I'm wondering just how much of our network
> has to be compliant? For example, if we don't do anything with credit
> cards on the residence hall network and there is a firewall between it
> and the administrative network, does the student network have to be
> PCI compliant? What if a club sets up a CashNet cashiering site that's
> setup in one of the residence halls for the weekend? What if we create
> a VLAN for that cashiering site in the residence hall network?
>
> As another example, since we use Active Directory for authentication,
> do all AD domain controllers automatically fall in the cardholder data
> environment? What if it's a read-only DC?
>
> The scope of areas that require PCI compliance feels significant.
>
> I'm wondering how other schools are handling PCI compliance from the
> IT side?
>
> Thanks,
> Greg
>
> Greg Francis
> Director, CCNSS
> Gonzaga University
> francis () gonzaga edu
> 509-313-6896