Re: PCI Wireless Question for other colleges/universities

[Kevin Reedy <KReedy () EXCELSIOR EDU>]

It seems like a bit of a stretch to me, but I can see that as an
interpretation.  I'm not sure that a contract would save you in the event
you are deemed a service provider though.

Do you see any fallout with the equipment being on your site and getting
tampered with?  A skimmer placed on the device and not detected?

Regardless,  I agree a better safe than sorry approach might be best here.

-Kevin





From:   Brad Judy <brad.judy () CU EDU>
To:     SECURITY () LISTSERV EDUCAUSE EDU,
Date:   01/25/2016 04:33 PM
Subject:        Re: [SECURITY] PCI Wireless Question for other
            colleges/universities
Sent by:        The EDUCAUSE Security Constituent Group Listserv
            <SECURITY () LISTSERV EDUCAUSE EDU>



That depends, are you 100% confident that whatever contract that was signed
did not even slightly imply that your institution is a PCI service provider
to the vendor?

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu




-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Reedy
Sent: Monday, January 25, 2016 2:09 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI Wireless Question for other
colleges/universities

Hi Tim,

I'm a little curious why you feel you have any PCI burden with a vendor
that is not affiliated?  Any exposure would be on them, with possible
backlash being negative press for you because of selecting them.

I don't see how the PCI burden transfers from vendor to host, that would be
like an ISP being held responsible for a breach that occurred over the
internet.

-Kevin



From:            "Carroll, Tim" <Carrolltd () ROANESTATE EDU>
To:              SECURITY () LISTSERV EDUCAUSE EDU,
Date:            01/25/2016 03:53 PM
Subject:                 Re: [SECURITY] PCI Wireless Question for other
            colleges/universities
Sent by:                 The EDUCAUSE Security Constituent Group Listserv
            <SECURITY () LISTSERV EDUCAUSE EDU>



The previous advice you received is all correct.  The only thing I would
add is how you handle vendors who come on campus temporarily and want to
use your network to process their payments.  We handled this by requiring
them (by policy and language on contracts) to use their own networks such
as a cellular wireless point.

Regards,

Tim
Tim Carroll
Assistant Vice President and Chief Information Officer Information
Technology Roane State Community College carrolltd () roanestate edu
865-882-4560

From: The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Paul Chauvet
Sent: Monday, January 25, 2016 1:05 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI Wireless Question for other colleges/universities

Hello all,

I’m wondering how other colleges/universities handled a specific PCI
requirement, 11.1.2, regarding unauthorized wireless access points.  We
have a few areas with payments going over wireless, but even if we changed
things to not use wireless for payments, it appears that this requirement
is applicable.

We have taken appropriate steps to secure the terminals/computers, and had
a skilled penetration testing company that was completely unable to break
through to the payment terminals (or even through the network
segmentation).  We also have scanning in place that can detect rogue access
points.  I believe that the systems are secure but security isn’t
compliance.

In this day and age where anyone can turn their phone into an access point,
there are always a number of them, most of them being transient.  What have
other colleges done when faced with these situations?  We’re not a huge
school that can afford the staff that it would take to go hunt the
transient access points down.

I’d appreciate anything you can share on- or off-list about this scenario.

Thanks,

Paul Chauvet
Information Security Officer
State University of New York at New Paltz chauvetp () newpaltz edu
845-257-3828
emlogo





This email is intended for the addressee and may contain privileged
information. If you are not the addressee, you are not permitted to use or
copy this email or its attachments nor may you disclose the same to any
third party. If this has been sent to you in error, please delete the email
and notify us by replying to this email immediately.


This message and any attachments contain confidential Excelsior College
information intended for the specific individual and purpose. If you are
not the intended recipient, you should notify the College and delete this
message. Any disclosure, copying, distribution or inappropriate use of this
message is strictly prohibited.

This message and any attachments contain confidential Excelsior College information intended for the specific 
individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. 
Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.