Re: PCI compliance on a university network (an unlikely occurance)

["j.price" <j.price () DOMAIL MARICOPA EDU>]

Hi Brian,

Just going back through emails re: PCI compliance, and you seem to be
doing a lot of what I will be doing. I passed the fist stage of my
privacy exam and will now be working half time on compliance issues.

I have seen your name here and also when I have done web searches on
data classification. Is there anything you can share on what process you
originally used when you started PCI Compliance? MCCD has so many
different locations that process credit card information that it's hard
to get my head around this.

Does Pima still use TouchNet application for credit card payments? Do
you have all the modules? I remember bringing a bunch of college
cashier's down to Pima a number of years ago to look at your process.

By the way, is Pima planning to do anything for Privacy Day 2010 on
January 28th?

Thanks,
Janet

Basgen, Brian wrote:
>  We did our most recent assessment of PCI compliance this past spring. Our goals are:
>  (a) to continue to transfer the risk as much as possible to third party providers; and
>  (b) where PCI compliance is required, to isolate those networks (e.g. POS devices, etc) as much as possible.
>
>  The key point, as others have noted without cynicism, is that compliance is measured after a breach occurs. It is measured by 
> people with tremendous expertise in this particular field, and they seem to have significant incentive to identify the failings 
> of the institution. Unlike legal compliance, performing a "best effort" apparently falls short of PCI requirements.
>
>  Completely internalizing compliance seems to be an intractable issue because PCI requirements are broad and demanding, 
> while higher education networks are dispersed and frequently changing. It seems rather likely that an institution would 
> miss more than obscure technicalities and, particularly in relief to an actual breach, would miss issues that 
> retrospectively seem onerous and indefensible.
>
> ~~~~~~~~~~~~~~~~~~
> Brian Basgen
> Information Security
> Pima Community College
> Office: 520-206-4873
>
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Robert 
> Ellison
> Sent: Tuesday, December 22, 2009 9:20 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] PCI compliance on a university network
>
> As I'm sure many of you are, we are grappling with the time and effort involved for PCI compliance as well as an 
> understanding of proper implementation of all the requirements.  Has anyone completed this process? Did you bring in a QSA 
> or other security expert?  Do you have an estimation as to the time and cost involved?
>
> Thank you in advance for any response.
>
> Robert J. Ellison
> Senior Technical Analyst
> CTM Services
> University of Pittsburgh at Bradford
>
> Phone: 814 362-7666
> Fax: 814 362-7666
> Email: ellison () pitt edu
>
> On Tue, Dec 22, 2009 at 11:14 AM, Crary, Greg <gcrary () ewu edu> wrote:
> On the heels of Greg's question...
>
> Looking at requirement 1.3.5, am I to understand we must proxy outbound traffic, or can the firewall serve as the 
> vehicle for evaluation as to traffic?
>
> Thanks,
>
> Greg
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary 
> Dobbins
> Sent: Tuesday, December 22, 2009 1:10 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] PCI compliance on a university network
>
> We found that the scope of requirements for compliance was so large, and ended up including so much infrastructure, as to be 
> untenable in a typical university LAN.  For that reason we went with a wholly-isolated environment in order to keep the scope 
> localized to a set of systems and network gear that we could "get our hands around" in terms of compliance.  We use a 
> VPN concentrator and inexpensive SOHO devices with nailed-up VPN tunnels for the POS stations, so the payment card network ends 
> up being virtual, and again can be seen as wholly-contained in the special environment.
>
> You can find a writeup of this approach in the form of a few Educause presentations by Mike Chapple (ND) and Jane Drews 
> (Iowa) at www.educause.edu.
>
> Hope that helps.
>
>
>
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greg Francis
> > Sent: Tuesday, December 22, 2009 12:55 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] PCI compliance on a university network
> >
> >
> > I'm working with our finance offices to evaluate our PCI compliance
> > levels on our network. The documentation I have from them doesn't
> > adequate define the "cardholder data environment."
> >
> > For a couple of our areas where we do credit card transactions, we
> > isolate the network traffic for those POS terminals using VLANs and
> > then they do encrypted traffic across the Internet to a payment
> > vendor. This includes places like our food services vendor and our
> > bookstore. However, we also do on demand credit card cashiering sites
> > using CashNet. Those sites can pop up throughout the network and we
> > use PCI compliant devices and CashNet is PCI compliant as well. We
> > actually went with CashNet in the hopes to avoid the need to be
> > internally PCI compliant since that effectively outsources credit card
> > processing (or so my finance office told me).
> >
> > It ends up that we own at least one server that does direct credit
> > card processing (Blackbooard Transaction Server) which has the finance
> > office understanding that we have to be PCI compliant internally.
> >
> > As I look at this though, I'm wondering just how much of our network
> > has to be compliant? For example, if we don't do anything with credit
> > cards on the residence hall network and there is a firewall between it
> > and the administrative network, does the student network have to be
> > PCI compliant? What if a club sets up a CashNet cashiering site that's
> > setup in one of the residence halls for the weekend? What if we create
> > a VLAN for that cashiering site in the residence hall network?
> >
> > As another example, since we use Active Directory for authentication,
> > do all AD domain controllers automatically fall in the cardholder data
> > environment? What if it's a read-only DC?
> >
> > The scope of areas that require PCI compliance feels significant.
> >
> > I'm wondering how other schools are handling PCI compliance from the
> > IT side?
> >
> > Thanks,
> > Greg
> >
> > Greg Francis
> > Director, CCNSS
> > Gonzaga University
> > francis () gonzaga edu
> > 509-313-6896

--
Janet Price
Information Technology Services
Maricopa Community Colleges
2419 W 14th St
Tempe Arizona, 85281
(480)731-8730

****IMPORTANT NOTICE****
All email communications with Maricopa Community Colleges employees are a matter of public record and subject to 
publication or release under both the State and Federal regulations as they pertain to their relative Freedom of 
Information Acts.