Re: PCI compliance on a university network

[Michael Johnson <mjohnson () COMPLYGUARDNETWORKS COM>]

We are a QSA that has addressed your scoping question at least once a
week from an educational institution or municipality. With all respect
to you finance department for being aware and working with you on PCI,
they are not security folks. I applaud your seeking other input.

Just a couple of points to stir things up.
Using a Gateway (CashNet, AuthNet or other) does not remove any
institutions responsibility for being PCI Compliant. A virtual terminal
or a gateway can  reduce scope. It is a near fatal error to rely on the
gateway to provide your institution coverage for PCI. It is the same for
the argument of tokenization or encryption. To quote Troy Leach from the
PCI Councel: "There is no silver bullet".

What is the level of documentation you have on the system? Identifying
all access points are critical. How are you monitoring the network for
rogue devices (such as you highlighted by a club using university
resources)? How are you quarantining?  

You make no mention of acceptable use policy. (I suggest you look at
this listserve archive to find some of the strings on this subject.) A
solid student and faculty signed acceptable use policy will help deter
wrongful activities (or at least give you the premise to legally pursue
perps).
 
Finally, it is important that someone on your team (you?) become the
knowledge leader in PCI. It may make sense for the university to reach
out to a QSA for a GAP conversation.

This is not a shameful plug but if we can help, please let me know off
line and I will respond. Otherwise, keep up the good fight.

Michael Johnson
ComplyGuard Networks.
516 887 0178

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greg Francis
Sent: Tuesday, December 22, 2009 12:55 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI compliance on a university network

                        
I'm working with our finance offices to evaluate our PCI compliance  
levels on our network. The documentation I have from them doesn't  
adequate define the "cardholder data environment."

For a couple of our areas where we do credit card transactions, we  
isolate the network traffic for those POS terminals using VLANs and  
then they do encrypted traffic across the Internet to a payment  
vendor. This includes places like our food services vendor and our  
bookstore. However, we also do on demand credit card cashiering sites  
using CashNet. Those sites can pop up throughout the network and we  
use PCI compliant devices and CashNet is PCI compliant as well. We  
actually went with CashNet in the hopes to avoid the need to be  
internally PCI compliant since that effectively outsources credit card  
processing (or so my finance office told me).

It ends up that we own at least one server that does direct credit  
card processing (Blackbooard Transaction Server) which has the finance  
office understanding that we have to be PCI compliant internally.

As I look at this though, I'm wondering just how much of our network  
has to be compliant? For example, if we don't do anything with credit  
cards on the residence hall network and there is a firewall between it  
and the administrative network, does the student network have to be  
PCI compliant? What if a club sets up a CashNet cashiering site that's  
setup in one of the residence halls for the weekend? What if we create  
a VLAN for that cashiering site in the residence hall network?

As another example, since we use Active Directory for authentication,  
do all AD domain controllers automatically fall in the cardholder data  
environment? What if it's a read-only DC?

The scope of areas that require PCI compliance feels significant.

I'm wondering how other schools are handling PCI compliance from the  
IT side?

Thanks,
Greg

Greg Francis
Director, CCNSS
Gonzaga University
francis () gonzaga edu
509-313-6896