Educause Security Discussion mailing list archives
Re: PCI Wireless Question for other colleges/universities
From: Brad Judy <brad.judy () CU EDU>
Date: Wed, 27 Jan 2016 17:07:24 +0000
Effectively, you can avoid being a PCI service provider by being treated as a true ISP and ensuring that the merchant manages their own network security and the only thing that hits your network is encrypted traffic. The big caveat is that your contract with the merchant really needs to note that you are not a PCI service provider, only an ISP and provide no compliance services. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu <http://www.cu.edu/> On 1/27/16, 8:45 AM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Kevin Reedy" <SECURITY () LISTSERV EDUCAUSE EDU on behalf of KReedy () EXCELSIOR EDU> wrote:
Eric, This is the exact discussion we had internally. Counsel felt the definition of a service provider was narrow enough to exclude the transport layer. I will admit after re-reading the word 'transmission' is right in there, and that does give one pause. Before I re-read from that angle I was looking at a PCI service provider the same way I look at a HIPAA covered entity. You either are or you aren't, and there is no grey area. After hearing other opinions and re-reading the definition it certainly leaves room for a bit of grey area. I don't think it will change our stance, we do have one vendor using their own Wifi equipment, which we connected at our demarc for them, and have interpreted that as 'Excelsior is not a service provider'. Interestingly I did not see this contract, so I'm going to ask for a copy to review and see if there is any strange language in it that concerns me. -Kevin From: Eric Lukens <eric.lukens () UNI EDU> To: SECURITY () LISTSERV EDUCAUSE EDU, Date: 01/26/2016 02:42 PM Subject: Re: [SECURITY] PCI Wireless Question for other colleges/universities Sent by: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> DISCLAIMER, I am not a lawyer or a QSA, this is just my assessment. I think this is an area where there is some disagreement. Some QSAs seem to indicate that once you accept CCs, you also need to "police" other entities that are affiliated with you in some way even if you offer them no services other than internet connectivity or leased space. Clearly, if you did not accept CCs at all, you have no contract with the banks, nor card brands and shouldn't be held liable for essentially being an ISP or a landlord for a vendor. So, if you do accept CCs somewhere else on campus, does that liability change? I suspect much of the language created by the PCI Council is purposefully vague, simply because trying to define it narrowly would create loopholes that would be used to bypass requirements. As such, the language is written broadly and you have to assess the risk yourself. I suspect that requirements on monitoring service providers and vendors is written broadly because of all the convoluted scenarios that can occur. Some of these businesses out there have hundreds of LLCs and shell companies to isolate risk. I suspect the PCI Council is making sure that risk goes back to where it belongs. Unfortunately, we can get caught in the net. Of course, any QSA can disagree and force you to do whatever. And remember, if the banks/card brands want to make you liable in a breach scenario, they will find a way. -Eric On Tue, Jan 26, 2016 at 1:11 PM, Carroll, Tim <Carrolltd () roanestate edu> wrote:Kevin, With regards to you question about PCI liability for a vendor, it is mybelief that we would be liable only if they use my network to transmit credit card data. My assumption could be wrong, but I would rather err on the side of caution.Regards, Tim Carroll Assistant Vice President and Chief Information Officer Information Technology Roane State Community College carrolltd () roanestate edu 865-882-4560 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin ReedySent: Monday, January 25, 2016 4:09 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI Wireless Question for othercolleges/universitiesHi Tim, I'm a little curious why you feel you have any PCI burden with a vendorthat is not affiliated? Any exposure would be on them, with possible backlash being negative press for you because of selecting them.I don't see how the PCI burden transfers from vendor to host, that wouldbe like an ISP being held responsible for a breach that occurred over the internet.-Kevin From:"Carroll, Tim" <Carrolltd () ROANESTATE EDU> To:SECURITY () LISTSERV EDUCAUSE EDU, Date:01/25/2016 03:53 PM Subject:Re: [SECURITY] PCI Wireless Question for other colleges/universities Sent by:The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> The previous advice you received is all correct. The only thing I wouldadd is how you handle vendors who come on campus temporarily and want to use your network to process their payments. We handled this by requiring them (by policy and language on contracts) to use their own networks such as a cellular wireless point.Regards, Tim Tim Carroll Assistant Vice President and Chief Information Officer InformationTechnology Roane State Community College carrolltd () roanestate edu865-882-4560 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Paul ChauvetSent: Monday, January 25, 2016 1:05 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI Wireless Question for other colleges/universities Hello all, I¹m wondering how other colleges/universities handled a specific PCIrequirement, 11.1.2, regarding unauthorized wireless access points. We have a few areas with payments going over wireless, but even if we changed things to not use wireless for payments, it appears that this requirement is applicable.We have taken appropriate steps to secure the terminals/computers, andhad a skilled penetration testing company that was completely unable to break through to the payment terminals (or even through the network segmentation). We also have scanning in place that can detect rogue access points. I believe that the systems are secure but security isn¹t compliance.In this day and age where anyone can turn their phone into an accesspoint, there are always a number of them, most of them being transient. What have other colleges done when faced with these situations? We¹re not a huge school that can afford the staff that it would take to go hunt the transient access points down.I¹d appreciate anything you can share on- or off-list about thisscenario.Thanks, Paul Chauvet Information Security Officer State University of New York at New Paltz chauvetp () newpaltz edu 845-257-3828 emlogo This email is intended for the addressee and may contain privilegedinformation. If you are not the addressee, you are not permitted to use or copy this email or its attachments nor may you disclose the same to any third party. If this has been sent to you in error, please delete the email and notify us by replying to this email immediately.This message and any attachments contain confidential Excelsior Collegeinformation intended for the specific individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.________________________________ This email is intended for the addressee and may contain privilegedinformation. If you are not the addressee, you are not permitted to use or copy this email or its attachments nor may you disclose the same to any third party. If this has been sent to you in error, please delete the email and notify us by replying to this email immediately. -- Eric C. Lukens IT Security Compliance & Policy Analyst ITS-Information Security Curris Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121 (319) 273-7434 http://www.uni.edu/elukens/ "Security is a process, not a product." Bruce Schneier This message and any attachments contain confidential Excelsior College information intended for the specific individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.
Current thread:
- Re: PCI Wireless Question for other colleges/universities, (continued)
- Re: PCI Wireless Question for other colleges/universities Paul Chauvet (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Carroll, Tim (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Kevin Reedy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Brad Judy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Kevin Reedy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Brad Judy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Kevin Reedy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Carroll, Tim (Jan 26)
- Re: PCI Wireless Question for other colleges/universities Eric Lukens (Jan 26)
- Re: PCI Wireless Question for other colleges/universities Dexter Caldwell (Jan 26)
- Re: PCI Wireless Question for other colleges/universities Kevin Reedy (Jan 27)
- Re: PCI Wireless Question for other colleges/universities Brad Judy (Jan 27)