Re: On-Campus Credit Card Transactions

[Aaron Hockett <AHockett () WARNERPACIFIC EDU>]

Just to chime in on this, we are in the middle of building out a
sub-network for our PCI DSS transactions.  

 

For us, making our main network PCI compliant would've been a monstrous
task of which simply spending the capital to have a sub-network made
more sense.  We are running our PCI network w/ a SSG-5 Juniper Firewall
cascaded down to HP V1910 switches w/ fiber between the buildings.  Any
and all computer systems or POS systems will have DHCP reservations on
our DC with the DHCP scope disabled and only the permitted MAC address
for the reservation allowed.  I am also building out our switches to
enabled DHCP snooping for the DC as well as 1-to-1/2-to-1 static MAC
addressing per physical port of the machines connected. (in some cases
we have to have a Netgear 5-port switch so two MAC addresses are allowed
per port).  All windows based machines will have patch management via
the DC and WSUS as well as anti-virus management as well.  The windows
workstations only have the allowed website for CC transactions so no
gratuitous web browsing can occur from those machines.  

 

All of this network is pumped into our SSG-5 of which runs into our
SSG-140 HA firewalls and out to the internet.  I won't bore anyone with
the policies on the firewall per machine/POS system (as those will be
different depending on the vendor) but the SSG-5 is setup with a simple
Untrust and Trust grouping.

 

The biggest thing with doing a project like this is the documentation.
I've physically had the gear now for almost a week and a half and I've
been not only vetting the hardware for failures, firmware updates and
other netadmin duties, but also having to document each sub-screen of
the firewall and the switches.  In a perfect world, I would say push all
CC transactions outside of your network so you don't have to deal with
PCI on your network.  The reality is that is quickly becoming the norm
with vendors like Square and Intuit offering processing on iPad and
Android tablets of which even if it communicates over a wireless
network, the encrypted traffic and actual transaction takes place
offsite.

 

Good luck everyone.

 

-Aaron Hockett

 

 

  <http://www.warnerpacific.edu/> 

mysteries made known 

        
Aaron Hockett
Network Systems and Securities Manager  

Warner Pacific College
2219 SE 68th Ave.
<http://maps.yahoo.com/py/maps.py?Pyt=Tmap&addr=2219+SE+68th+Ave.&csz=Po
rtland%2C+OR+97215&country=us> 
Portland, OR 97215
<http://maps.yahoo.com/py/maps.py?Pyt=Tmap&addr=2219+SE+68th+Ave.&csz=Po
rtland%2C+OR+97215&country=us>   

ahockett () warnerpacific edu
www.warnerpacific.edu <http://www.warnerpacific.edu/>   

tel:
fax: 

503-517-1203 

503-517-1352 

        

  

This message is intended for the sole use of the individual to whom it
is addressed. It may contain information that is privileged,
confidential or exempt from disclosure under applicable laws. If you are
not the intended addressee you are hereby notified that you may not use,
copy, disclose, or distribute to anyone this message or any information
contained within this message. If you have received this message in
error, please immediately advise the sender by replying to this email
and delete this message. 

 

 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Christopher
Hickernell
Sent: Wednesday, March 21, 2012 6:06 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] On-Campus Credit Card Transactions

 

All of our credit card machines have dedicated phone lines for
processing payments.  Locations such as the book store, where the credit
card reader is integrated into the POS, the transactions are sent
through a server in a secluded network before being processed.  This
server is maintained by the POS vendor and is not connected to the
University's network.  Payments that are generated by Housing or Student
Accounts for tuition, room, board, etc. are off-loaded to TouchNet for
processing.  TouchNet only receives the payment details from our
systems.  They are responsible for acquiring the CC number from the
user, processing the payment, and then returning the results to our
systems-so no credit card number is ever acquired by an on campus system
and never traverses our network.

 

Christopher Hickernell, CCNA, MCSE

Network Support Specialist, ResNet Manager

Clarion University of Pennsylvania

Center for Computing Services

G-13 Still Hall, Clarion, PA 16214

chickernell () clarion edu | 814.393.2218

 

"To be a long-term success, you have to have failures.  People who are
working near their limit make mistakes and take risk."

~Gerry McCartney, Purdue University

 

 

 

From: The EDUCAUSE Security Constituent Group Listserv 
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Robert Yoka
Sent: Monday, March 19, 2012 6:49 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] On-Campus Credit Card Transactions

 

I have noticed from some of the EDUCAUSE archives that there are some
institutions who have the policy of disallowing the storage, processing,
or transmission of credit card information for any system on their
network.  For those who have been successful with this, how are you
enabling credit card transactions on-campus at places like the
bookstore, cafes, or any other point-of-sale?


 

-- 

Robert J. Yoka
Information Security Administrator
Information Technology
York College of Pennsylvania
441 Country Club Road
York, PA 17403

Email: ryoka () ycp edu
Voice: 717-815-1784

Cell: 717-577-0737

 

This information is intended solely for the use of the individual to
whom it is addressed. 
Any review, disclosure, copying, distribution or use of this e-mail
communication by 
others is strictly prohibited.  If you are  not the intended recipient,
please notify us 
immediately by returning  this message to the sender and delete all
copies.