Educause Security Discussion mailing list archives

Re: PCI - Third party vendors

From: Bruce Curtis <bruce.curtis () NDSU EDU>
Date: Tue, 29 Jul 2014 22:12:38 +0000

  As several people have mentioned there may be ways to reduce the scope of the CDE.  This document contains info on 
how tokenization can be used to reduce scope.


https://www.pcisecuritystandards.org/documents/Tokenization_Guidelines_Info_Supplement.pdf




On Jul 25, 2014, at 4:58 AM, Shamblin, Quinn <qrs () BU EDU> wrote:

I tend to agree with the point of view that you are a service provider to them and bear no responsibility for their 
compliance (especially if you have that explicitly written in to your service contract with them) but with the big 
caveat that, as they have a relationship with University, their breach could bring reputational blowback. 

But another thing to look into is that if they are using certain modern forms of credit card processing technology 
like P2PE (point-to-point encrypted) solutions which encrypt the credit card number directly on the card swipe device 
before it ever touches the network, credit card numbers therefore never hit your network regardless of who is 
responsible and thus the PCI compliance issue is neatly avoided.

- Quinn

Sent from my smartphone using voice dictation. Please excuse any errors.

On Jul 24, 2014, at 5:58 PM, "T. Shayne Ghere" <sghere () FSMAIL BRADLEY EDU> wrote:

I agree with Roger and Chris.  The way it was explained to us, any device that resides on your network/domain becomes 
your responsibility and puts it in scope.  We have spent months separating off those segments from the rest of the 
University Network.  They basically have a Virtual Terminal that they use and it can only get to Ticketmaster or 
whatever other company is accepting credit cards.
 
We have a PCI Emergency Response Document as to what steps we have to follow if one of them gets hacked even if you 
have a signed agreement.  They are coming from your domain so the finger ultimately points back to you, the ISP to 
provide logs etc.  We even confiscate the VT’s and disconnect it from the network and turn it over to whatever agency 
requests the information.
 
Even when they are in the PCI Scope of our network, we still require a VPN connection from their VT’s to the 
processor/merchant so there are dual layers of protection.
 
Wireless is strictly prohibited.  Anyone that we find accepting credit cards on campus has both their wired/wireless 
credentials revoked until an investigation is done.  There is one exception with a checkout Ipad that is kept in the 
vault in our Controllers office, and there is training as to how to operate it if they are accepting money for the 
University.  It doesn’t leave the University, and there is a list of authorized users which is very short that may 
check it out.
 
I would check with your network compliance officer at your institution.
 
Best of luck
Shayne
 
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Christopher Jones
Sent: Thursday, July 24, 2014 4:07 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI - Third party vendors
 
I agree with Roger.  Your QSA will be able to provide guidance on this.  As I understand the PCI requirements, any 
cardholder data transiting the network puts it in scope.
 
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Roger 
A Safian
Sent: Thursday, July 24, 2014 2:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI - Third party vendors
 
I think you want to discuss this with your QSA, but, my read, is this brings your network into scope for PCI.  My 
assumption is you don’t want this to happen.
 
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Drake, 
Craig
Sent: Thursday, July 24, 2014 3:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI - Third party vendors
 
We have a new coffee shop going into our library.  They are completely run by an external entity not associated with 
the university.  They want to connect their terminals to our university network (possibly wireless) to transmit their 
credit card transactions.  What do we need to be concerned with in terms of PCI compliance with them running this 
through our networks? 
 
Thank you,
-Craig

Craig Drake

University Technology Services
Northeastern Illinois University
5500 North St. Louis Avenue, Chicago, IL 60625
Phone: (773) 442-4386
Email: C-Drake () neiu edu

www.neiu.edu


---
Bruce Curtis                         bruce.curtis () ndsu edu
Certified NetAnalyst II                701-231-8527
North Dakota State University

Current thread:

PCI - Third party vendors Drake, Craig (Jul 24)
- Re: PCI - Third party vendors Brad Judy (Jul 24)
  - Re: PCI - Third party vendors Hendra Hendrawan (Jul 24)
- Re: PCI - Third party vendors Mike Chapple (Jul 24)
- Re: PCI - Third party vendors Roger A Safian (Jul 24)
  - Re: PCI - Third party vendors Christopher Jones (Jul 24)
    - Re: PCI - Third party vendors Kobezak, Philip (Jul 24)
    - Re: PCI - Third party vendors T. Shayne Ghere (Jul 24)
    - Re: PCI - Third party vendors Shamblin, Quinn (Jul 25)
    - Re: PCI - Third party vendors Bruce Curtis (Jul 29)
- Re: PCI - Third party vendors Blake Penn (Jul 25)
  - Re: PCI - Third party vendors Mike Cunningham (Jul 25)
    - Re: PCI - Third party vendors Blake Penn (Jul 25)
  - Re: PCI - Third party vendors Mike Chapple (Jul 25)
    - Re: PCI - Third party vendors Oscar Knight (Jul 25)
    - Re: PCI - Third party vendors Theresa Semmens (Jul 25)
    - Re: PCI - Third party vendors Joel L. Rosenblatt (Jul 25)
    - Re: PCI - Third party vendors Mike Chapple (Jul 25)
    - Re: PCI - Third party vendors David James Anderson (Jul 25)
    - Re: PCI - Third party vendors Peter Setlak (Jul 25)

(Thread continues...)