Re: PCI Wireless Question for other colleges/universities

[Paul Chauvet <chauvetp () NEWPALTZ EDU>]

Hi Marty,

Sorry for the lack of clarification!  It isn't as much the "establish a process to scan for rogue wireless access 
points", because we have a process to detect such via our wireless system (Aruba).

Our issue is more with 11.1.2b: "Is action taken when unauthorized wireless access points are found".  I'm not sure 
what actions are viable in an environment like a college (at least with our staffing requirements), especially with 
ad-hoc networks and cell phones acting as access points.

Is "We've made sure it isn't near a dedicated payment area if the access point wasn't transient" suitable as an action 
for this?  I'm open to ideas.

Thanks all,


Paul Chauvet
Information Security Officer
State University of New York at New Paltz
chauvetp () newpaltz edu<mailto:chauvetp () newpaltz edu>
845-257-3828
[emlogo]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Manjak, 
Martin
Sent: Monday, January 25, 2016 1:58 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI Wireless Question for other colleges/universities

Paul,

Assuming we're talking about "Establish a process to scan for rogue wireless access points on at least a quarterly 
basis," we were advised by our QSA that a visual inspection on CDE segments only was sufficient to satisfy this 
requirement.

Marty Manjak
ISO
University at Albany

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Paul 
Chauvet
Sent: Monday, January 25, 2016 1:05 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] PCI Wireless Question for other colleges/universities

Hello all,

I'm wondering how other colleges/universities handled a specific PCI requirement, 11.1.2, regarding unauthorized 
wireless access points.  We have a few areas with payments going over wireless, but
even if we changed things to not use wireless for payments, it appears that this requirement is applicable.

We have taken appropriate steps to secure the terminals/computers, and had a skilled penetration testing company that 
was completely unable to break through to the payment terminals (or even through the network segmentation).  We also 
have scanning in place that can detect rogue access points.  I believe that the systems are secure but security isn't 
compliance.

In this day and age where anyone can turn their phone into an access point, there are always a number of them, most of 
them being transient.  What have other colleges done when faced with these situations?  We're not a huge school that 
can afford the staff that it would take to go hunt the transient access points down.

I'd appreciate anything you can share on- or off-list about this scenario.

Thanks,

Paul Chauvet
Information Security Officer
State University of New York at New Paltz
chauvetp () newpaltz edu<mailto:chauvetp () newpaltz edu>
845-257-3828
[emlogo]