Re: PCI Compliance

["Lovaas,Steven" <Steven.Lovaas () COLOSTATE EDU>]

Kees,

Using PCI-compliant software only addresses part of the rules. If the credit card information traverses your network 
(if the bits traverse your wires) on their way between the client and the server, wherever the server lives, then there 
are things you are required to do in order to protect your network. Using a remotely hosted, PCI-compliant vendor for 
payments makes the job a lot easier, but you still need to be protecting your infrastructure if it's taking part in the 
transaction.

So here are a few scenarios to make this clear:

1) Off-campus user with remotely hosted app:
User out in the world (not on your network) goes to your university bookstore site to make a purchase, shops and gets 
to the shopping cart. Upon clicking "pay", the user is redirected to the external site, so that the credit card 
information never touches your network. In this case, you just need to make sure the external vendor's software is 
certified and that your contracts with them include that stipulation.
[Basic concept: hand off the liability]

2) On-campus user with remotely hosted app:
User on campus uses the same system described in (1). Since the credit card information is typed into the browser on a 
campus computer, you need to make sure that (among other things) your computers have anti-virus protection, that the 
app is using encryption (HTTPS), and there are some other rules about user education, etc. This situation isn't 
significantly different from the Point-of-Sale card swipers in your brick-and-mortar bookstore: if they move across 
your data network on their way to the remote authorization vendor, you need to protect that part of your infrastructure.
[Basic concept: protect the data in entry & transit]

3) Payment server hosted on campus (with your own or a third-party vendor's software):
This is the most complicated to get right, and involves much more in the way of network protection for the server and 
the client-server traffic. It involves the full brunt of the PCIDSS, and it's hard enough to get this right that a lot 
of people have moved to third-party vendors hosting payment services offsite (like CashNET, etc).
[Basic concept: protect the data in entry, transit and storage]

I hope this has made the situation clearer... I'd encourage you to go read the full PCIDSS (available at 
https://www.pcisecuritystandards.org/tech/index.htm). Whatever you think about the payment card industry's tactics, 
what they're requiring is actually good security and provides a good model to talk about securing networks in general.

Steve



==============================================
Steven Lovaas, MSIA, CISSP
Network Security Manager
Academic Computing & Network Services
Colorado State University
970-297-3707
Steven.Lovaas () ColoState EDU
============================================
-----Original Message-----
From: Roger Safian [mailto:r-safian () NORTHWESTERN EDU]
Sent: Friday, March 23, 2007 7:42 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI Compliance

At 08:23 AM 3/23/2007, Kees Leune put fingers to keyboard and wrote:
> Hello,
>
> On Thu, Mar 22, 2007 at 01:38:29PM -0400, Theresa M Rowe wrote:
> > Has anyone had success with achieving compliance to the PCI standard?
> >
> > We've hit some confusion here.  If we:
> >
> > * license software that takes credit card payment over the web
> > * and the web servers are located on our campus
> >
> > Aren't we obligated to make sure that the software is "PCI compliant"
> > from the
> vendor?
>
> All organizations that handle credit card payments in any form (store,
> forward, accept, etc.) are required to ensure that they, but also all
> their vendors (the entire chain) are PCI compliant.
>
> So, technically, even if your entire organization is secure, but you
> use non pci-compliant software to process credit card payments, you are
> in violation of the standard.

Here's my understanding, IANAL.  PCI requires that you use products and services that are PCI compliant.  If you use 
software, you need to ask the vendor if they are PCI compliant.  You also need to ensure that the contract they sigh 
states they are compliant.  Beyond that, you have to do nothing.  If the vendor is wrong about their compliance, then 
they have legal issues because of the contract and you should be able to pass the buck.  Basically that's what the 
banks are doing.


--
Roger A. Safian
r-safian () northwestern edu (email) public key available on many key servers.
(847) 491-4058   (voice)
(847) 467-6500   (Fax) "You're never too old to have a great childhood!"