Re: On-Campus Credit Card Transactions

[John Ladwig <John.Ladwig () SO MNSCU EDU>]

In our system, we have part-time PCI DSS expertise in our system office Information Security group.  We're involved in 
PCI compliance support and consulting, coordinate special network and firewall engineering, and contract for QSA 
services.  We have also developed some compliance-support materials for merchant use, because we find that actual 
merchant staff, as well as campus finance and IT leadership, have a pretty hard time working with just the SAQ 
requirements.  We established a systemwide contract for ASV scanning via a SaaS offering for use by merchants across 
our system, and we offer special advice and configuration help for using our vulnerability management system in 
merchant compliance efforts.

As far as on-premise concessionaires, we have got almost all of them moved off to their own ISP services, so we don't 
have a level-1 service provider obligation to *their* PCI compliance problem.  "Moved off" means, last time we got a 
QSA opinion, that there are no campus-owned electronics in the merchant's cardholder data environment. We will offer 
dry copper or dark fiber from onsite locations to a convenient demarc/POP where the ISP connects up to the 
concessionaire.

Hope that helps some.

   -jml

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kimberly 
Heimbrock
Sent: Wednesday, March 21, 2012 8:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] On-Campus Credit Card Transactions

In a related question... curious to know about any .edu's that now have a dedicated PCI office and/or resources that 
work toward PCI compliance?  Seems to be a growing trend to set up a PCI office that is dedicated (and supported by 
executive leadership).  Also - how are external partners such as food service, bookstores, sports arenas, etc. 
encouraged and/or forced to comply since they are typically separate entities but are most often using university 
networks?   Thanks in advance for your replies.


Kim Heimbrock
Director, IT Policy and Compliance
Northern Kentucky University
(859) 572-5139
heimbrockk () nku edu<mailto:heimbrockk () nku edu>



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Christopher Hickernell
Sent: Wednesday, March 21, 2012 9:06 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] On-Campus Credit Card Transactions

All of our credit card machines have dedicated phone lines for processing payments.  Locations such as the book store, 
where the credit card reader is integrated into the POS, the transactions are sent through a server in a secluded 
network before being processed.  This server is maintained by the POS vendor and is not connected to the University's 
network.  Payments that are generated by Housing or Student Accounts for tuition, room, board, etc. are off-loaded to 
TouchNet for processing.  TouchNet only receives the payment details from our systems.  They are responsible for 
acquiring the CC number from the user, processing the payment, and then returning the results to our systems-so no 
credit card number is ever acquired by an on campus system and never traverses our network.

Christopher Hickernell, CCNA, MCSE
Network Support Specialist, ResNet Manager
Clarion University of Pennsylvania
Center for Computing Services
G-13 Still Hall, Clarion, PA 16214
chickernell () clarion edu<mailto:chickernell () clarion edu> | 814.393.2218

"To be a long-term success, you have to have failures.  People who are working near their limit make mistakes and take 
risk."
~Gerry McCartney, Purdue University



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Robert 
Yoka
Sent: Monday, March 19, 2012 6:49 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] On-Campus Credit Card Transactions

I have noticed from some of the EDUCAUSE archives that there are some institutions who have the policy of disallowing 
the storage, processing, or transmission of credit card information for any system on their network.  For those who 
have been successful with this, how are you enabling credit card transactions on-campus at places like the bookstore, 
cafes, or any other point-of-sale?

--
Robert J. Yoka
Information Security Administrator
Information Technology
York College of Pennsylvania
441 Country Club Road
York, PA 17403

Email: ryoka () ycp edu<mailto:ryoka () ycp edu>
Voice: 717-815-1784
Cell: 717-577-0737


This information is intended solely for the use of the individual to whom it is addressed.

Any review, disclosure, copying, distribution or use of this e-mail communication by

others is strictly prohibited.  If you are  not the intended recipient, please notify us

immediately by returning  this message to the sender and delete all copies.