Educause Security Discussion mailing list archives
Re: PCI compliance on a university network (an unlikely occurance)
From: "j.price" <j.price () DOMAIL MARICOPA EDU>
Date: Tue, 5 Jan 2010 16:30:41 -0700
Hi Brian, Just going back through emails re: PCI compliance, and you seem to be doing a lot of what I will be doing. I passed the fist stage of my privacy exam and will now be working half time on compliance issues. I have seen your name here and also when I have done web searches on data classification. Is there anything you can share on what process you originally used when you started PCI Compliance? MCCD has so many different locations that process credit card information that it's hard to get my head around this. Does Pima still use TouchNet application for credit card payments? Do you have all the modules? I remember bringing a bunch of college cashier's down to Pima a number of years ago to look at your process. By the way, is Pima planning to do anything for Privacy Day 2010 on January 28th? Thanks, Janet Basgen, Brian wrote:
We did our most recent assessment of PCI compliance this past spring. Our goals are: (a) to continue to transfer the risk as much as possible to third party providers; and (b) where PCI compliance is required, to isolate those networks (e.g. POS devices, etc) as much as possible. The key point, as others have noted without cynicism, is that compliance is measured after a breach occurs. It is measured by people with tremendous expertise in this particular field, and they seem to have significant incentive to identify the failings of the institution. Unlike legal compliance, performing a "best effort" apparently falls short of PCI requirements. Completely internalizing compliance seems to be an intractable issue because PCI requirements are broad and demanding, while higher education networks are dispersed and frequently changing. It seems rather likely that an institution would miss more than obscure technicalities and, particularly in relief to an actual breach, would miss issues that retrospectively seem onerous and indefensible. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College Office: 520-206-4873 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Robert Ellison Sent: Tuesday, December 22, 2009 9:20 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI compliance on a university network As I'm sure many of you are, we are grappling with the time and effort involved for PCI compliance as well as an understanding of proper implementation of all the requirements. Has anyone completed this process? Did you bring in a QSA or other security expert? Do you have an estimation as to the time and cost involved? Thank you in advance for any response. Robert J. Ellison Senior Technical Analyst CTM Services University of Pittsburgh at Bradford Phone: 814 362-7666 Fax: 814 362-7666 Email: ellison () pitt edu On Tue, Dec 22, 2009 at 11:14 AM, Crary, Greg <gcrary () ewu edu> wrote: On the heels of Greg's question... Looking at requirement 1.3.5, am I to understand we must proxy outbound traffic, or can the firewall serve as the vehicle for evaluation as to traffic? Thanks, Greg -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins Sent: Tuesday, December 22, 2009 1:10 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI compliance on a university network We found that the scope of requirements for compliance was so large, and ended up including so much infrastructure, as to be untenable in a typical university LAN. For that reason we went with a wholly-isolated environment in order to keep the scope localized to a set of systems and network gear that we could "get our hands around" in terms of compliance. We use a VPN concentrator and inexpensive SOHO devices with nailed-up VPN tunnels for the POS stations, so the payment card network ends up being virtual, and again can be seen as wholly-contained in the special environment. You can find a writeup of this approach in the form of a few Educause presentations by Mike Chapple (ND) and Jane Drews (Iowa) at www.educause.edu. Hope that helps.-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greg Francis Sent: Tuesday, December 22, 2009 12:55 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI compliance on a university network I'm working with our finance offices to evaluate our PCI compliance levels on our network. The documentation I have from them doesn't adequate define the "cardholder data environment." For a couple of our areas where we do credit card transactions, we isolate the network traffic for those POS terminals using VLANs and then they do encrypted traffic across the Internet to a payment vendor. This includes places like our food services vendor and our bookstore. However, we also do on demand credit card cashiering sites using CashNet. Those sites can pop up throughout the network and we use PCI compliant devices and CashNet is PCI compliant as well. We actually went with CashNet in the hopes to avoid the need to be internally PCI compliant since that effectively outsources credit card processing (or so my finance office told me). It ends up that we own at least one server that does direct credit card processing (Blackbooard Transaction Server) which has the finance office understanding that we have to be PCI compliant internally. As I look at this though, I'm wondering just how much of our network has to be compliant? For example, if we don't do anything with credit cards on the residence hall network and there is a firewall between it and the administrative network, does the student network have to be PCI compliant? What if a club sets up a CashNet cashiering site that's setup in one of the residence halls for the weekend? What if we create a VLAN for that cashiering site in the residence hall network? As another example, since we use Active Directory for authentication, do all AD domain controllers automatically fall in the cardholder data environment? What if it's a read-only DC? The scope of areas that require PCI compliance feels significant. I'm wondering how other schools are handling PCI compliance from the IT side? Thanks, Greg Greg Francis Director, CCNSS Gonzaga University francis () gonzaga edu 509-313-6896
-- Janet Price Information Technology Services Maricopa Community Colleges 2419 W 14th St Tempe Arizona, 85281 (480)731-8730 ****IMPORTANT NOTICE**** All email communications with Maricopa Community Colleges employees are a matter of public record and subject to publication or release under both the State and Federal regulations as they pertain to their relative Freedom of Information Acts.
Current thread:
- Re: PCI compliance on a university network (an unlikely occurance) j.price (Jan 05)