Re: PCI - Third party vendors

[Hendra Hendrawan <hendra () YORKU CA>]

Hi Craig, 

I second Brad's point on the fact the coffee shop owner is responsible. 
Specifically, they are responsible for filing the compliance paper work 
with their bank. NIU on the other hand should be concerned with the 
university's reputation in the case of a breach to cardholder data (CHD). 

I think it is important to ensure that the merchant understand the service 
agreement. For instance, the connection provided is not PCI compliance, 
etc. Hopefully, they will take it seriously and consider the security of 
the payment channels. 

On the good side, most pinpads are equipped with an encryption system. 
Your network may not be compliance but the traffic containing CHD is 
secure. 

Contact me offline if you need more info. 

Regards, 

Hendra Hendrawan ? Senior Security Analyst 
Information Security
University Information Technology (UIT)

YORK UNIVERSITY 
040 Steacie Building ? 4700 Keele Street 
Toronto ON ? Canada M3J 1P3
T 416.736.2100 ext 22317 F 416.736.5830
hendra () yorku ca ? www.yorku.ca 

York UIT will NEVER send unsolicited requests for passwords or other 
personal information via email. Messages requesting such information are 
fraudulent and should be deleted. 

The EDUCAUSE Security Constituent Group Listserv 
<SECURITY () LISTSERV EDUCAUSE EDU> wrote on 24-07-2014 04:50:08 PM:

> From: Brad Judy <brad.judy () CU EDU>
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Date: 24-07-14 04:50 PM
> Subject: Re: [SECURITY] PCI - Third party vendors
> Sent by: The EDUCAUSE Security Constituent Group Listserv 
> <SECURITY () LISTSERV EDUCAUSE EDU>
>
> If they hold the merchant account, and they are treating your 
> network like the internet (untrusted, public network), then they are
> responsible for ensuring both their compliance and that their data 
> is properly protected before reaching your network.
>
> However, if they are not treating your network like the public 
> internet, then you could be considered a PCI service provider to 
> them and you would need an agreement about who handles what aspects 
> of security and would have to figure out your side of PCI compliance.
>
> These arrangements can be fairly simple if you are just their ISP 
> and not managing their internal networking.  They would typically 
> have their own switch and SOHO type firewall to segment themselves 
> from your network, only sending out the encrypted connection to the 
> payment gateway/processor.  If you had a big chain coming on site, 
> they would likely have done this approach before.
>
> That said, a local coffee shop might not understand PCI-DSS and 
> might not have a plan like that.
>
> Brad Judy
>
> Director of UIS Security
> University Information Systems
> University of Colorado
> 1800 Grant Street, Suite 300
> Denver, CO  80203
> Office: (303) 860-4293
> Fax: (303) 860-4302
> www.cu.edu
>
> [cid:8B31C7DD-0324-46B9-83BC-2307D4D96284]
>
>
> From: <Drake>, Craig <c-drake () NEIU EDU<mailto:c-drake () NEIU EDU>>
> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<
> mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
> Date: Thursday, July 24, 2014 2:30 PM
> To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<
> mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
> Subject: [SECURITY] PCI - Third party vendors
>
> We have a new coffee shop going into our library.  They are 
> completely run by an external entity not associated with the 
> university.  They want to connect their terminals to our university 
> network (possibly wireless) to transmit their credit card 
> transactions.  What do we need to be concerned with in terms of PCI 
> compliance with them running this through our networks?
>
> Thank you,
> -Craig
>
> Craig Drake
>
> University Technology Services
> Northeastern Illinois University
> 5500 North St. Louis Avenue, Chicago, IL 60625
> Phone: (773) 442-4386
> Email: C-Drake () neiu edu<mailto:C-Drake () neiu edu>
>
> www.neiu.edu<http://www.neiu.edu>
>
> [http://homepages.neiu.edu/~markdep/images/neiu_wordmark_color_email.png
]
> [attachment "5C9580BB-3DDF-4A51-A98A-22396925DFA5[12].png" deleted 
> by Hendra Hendrawan/fs/YorkU]