Re: PCI Processing Practices

["Youngquist, Jason R." <jryoungquist () CCIS EDU>]

A couple weeks ago the PCI Security Standards Council posted some guidance on point-to-point encryption.  If you use 
only POS devices with "hardware/hardware point-to-point encryption, it looks like you can reduce your scope even more.  
See PDF link below pages 82-83.

https://www.pcisecuritystandards.org/documents/P2PE_Hardware_Solution_%20Requirements_Initial_Release.pdf



Jason Youngquist, CISSP
Information Technology Security Engineer
Technology Services
Columbia College
1001 Rogers Street, Columbia, MO  65216
(573) 875-7334
jryoungquist () ccis edu
http://www.ccis.edu

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Marley, 
Tim
Sent: Wednesday, October 05, 2011 2:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI Processing Practices

Reviewing this thread it seems to me that we're throwing around a lot of terms without everyone agreeing to exactly 
what they mean.  Processing, for example.  By claiming to process the transactions internally, are you claiming that 
you work directly with the issuing or acquiring banks at the time of transaction to obtain an authorization?  Or do you 
mean, that the systems that 'process' payment card transactions are on campus and subsequently go out to a 
processor/acquiring bank who then take the transaction from there?

Simplifying the validation process and limiting the scope of your environment can be as simple as removing the storage 
of cardholder data in your environment.  By not storing cardholder data, you can typically drop from a SAQ D to a SAQ C.

We also use TouchNet as a component in our environment.  However, this doesn't mean that we outsource all of our PCI 
transactions.  We have a number of different campus merchants that use TouchNet services ranging from 3rd party hosted 
e-commerce to internal processes handing off transactions to the TouchNet payment gateway.  The data is still crossing 
our network, and subsequently we end up with SAQ C or SAQ C-VT.

JML-
We've done both.  We have outsourced business functions for other reasons than compliance costs, which subsequently 
reduced the scope of our compliance efforts.  But it was done for the gains from outsourcing the business and not for 
compliance fears, etc.  We have also outsourced the server functions for POS applications, reducing our scope and 
dropping us from a SAQ D to a SAQ C.  To drop it any further, we would have to outsource the physical network 
operations.  Something we aren't likely to do anytime soon.

In the end, we still end up filing a SAQ D for the University along with all of the controls that go along with it.  
Not ideal, but necessary due to the current business environment and needs.

Tim

Timothy J. Marley
CPA * CISSP * CISM * CISA * GSNA * GPEN * PCI ISA * CIPP University of Oklahoma Information Technology, Security Team 
office 405.325.5418

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John 
Ladwig
Sent: Monday, October 03, 2011 5:04 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI Processing Practices

I'm following this thread with interest, but can someone tell me whether and how you're outsourcing brick-and-mortar 
card-present payment processing where there are complex POS environments like bookstores, cafeterias, sports facilities?

Do you outsource the business, or outsource only a portion of the operations?  And if the latter, how?

   -jml 

> > > Scott O Bradner <sob () HARVARD EDU> 2011-10-02 10:58 >>>
almost totally outsourced (maybe 1 or two merchants not)

outsourcing finished about 3 years ago

Scott


On Sep 30, 2011, at 2:41 PM, Paula E. Johnson wrote:

> We are reviewing our campus PCI processing practices and are curious how many of you have decided to do your own 
> credit card processing and how may have decided to totally outsource this sort of transaction.  Can you please 
> respond with whether you satisfy your PCI needs internally, outsourced, or a combination. 
> Thanks in advance for your help.
>  
> Paula E. Johnson
> Fiscal Support Supervisor
> IT Services
> University of Arkansas
> Fayetteville, AR 72701
> 479-575-5870
>