Educause Security Discussion mailing list archives
Re: PCI Compliance
From: "Lovaas,Steven" <Steven.Lovaas () COLOSTATE EDU>
Date: Fri, 23 Mar 2007 08:58:18 -0600
Kees, Using PCI-compliant software only addresses part of the rules. If the credit card information traverses your network (if the bits traverse your wires) on their way between the client and the server, wherever the server lives, then there are things you are required to do in order to protect your network. Using a remotely hosted, PCI-compliant vendor for payments makes the job a lot easier, but you still need to be protecting your infrastructure if it's taking part in the transaction. So here are a few scenarios to make this clear: 1) Off-campus user with remotely hosted app: User out in the world (not on your network) goes to your university bookstore site to make a purchase, shops and gets to the shopping cart. Upon clicking "pay", the user is redirected to the external site, so that the credit card information never touches your network. In this case, you just need to make sure the external vendor's software is certified and that your contracts with them include that stipulation. [Basic concept: hand off the liability] 2) On-campus user with remotely hosted app: User on campus uses the same system described in (1). Since the credit card information is typed into the browser on a campus computer, you need to make sure that (among other things) your computers have anti-virus protection, that the app is using encryption (HTTPS), and there are some other rules about user education, etc. This situation isn't significantly different from the Point-of-Sale card swipers in your brick-and-mortar bookstore: if they move across your data network on their way to the remote authorization vendor, you need to protect that part of your infrastructure. [Basic concept: protect the data in entry & transit] 3) Payment server hosted on campus (with your own or a third-party vendor's software): This is the most complicated to get right, and involves much more in the way of network protection for the server and the client-server traffic. It involves the full brunt of the PCIDSS, and it's hard enough to get this right that a lot of people have moved to third-party vendors hosting payment services offsite (like CashNET, etc). [Basic concept: protect the data in entry, transit and storage] I hope this has made the situation clearer... I'd encourage you to go read the full PCIDSS (available at https://www.pcisecuritystandards.org/tech/index.htm). Whatever you think about the payment card industry's tactics, what they're requiring is actually good security and provides a good model to talk about securing networks in general. Steve ============================================== Steven Lovaas, MSIA, CISSP Network Security Manager Academic Computing & Network Services Colorado State University 970-297-3707 Steven.Lovaas () ColoState EDU ============================================ -----Original Message----- From: Roger Safian [mailto:r-safian () NORTHWESTERN EDU] Sent: Friday, March 23, 2007 7:42 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI Compliance At 08:23 AM 3/23/2007, Kees Leune put fingers to keyboard and wrote:
Hello, On Thu, Mar 22, 2007 at 01:38:29PM -0400, Theresa M Rowe wrote:Has anyone had success with achieving compliance to the PCI standard? We've hit some confusion here. If we: * license software that takes credit card payment over the web * and the web servers are located on our campus Aren't we obligated to make sure that the software is "PCI compliant" from thevendor? All organizations that handle credit card payments in any form (store, forward, accept, etc.) are required to ensure that they, but also all their vendors (the entire chain) are PCI compliant. So, technically, even if your entire organization is secure, but you use non pci-compliant software to process credit card payments, you are in violation of the standard.
Here's my understanding, IANAL. PCI requires that you use products and services that are PCI compliant. If you use software, you need to ask the vendor if they are PCI compliant. You also need to ensure that the contract they sigh states they are compliant. Beyond that, you have to do nothing. If the vendor is wrong about their compliance, then they have legal issues because of the contract and you should be able to pass the buck. Basically that's what the banks are doing. -- Roger A. Safian r-safian () northwestern edu (email) public key available on many key servers. (847) 491-4058 (voice) (847) 467-6500 (Fax) "You're never too old to have a great childhood!"
Current thread:
- PCI Compliance Theresa M Rowe (Mar 22)
- <Possible follow-ups>
- Re: PCI Compliance Penn, Blake (Mar 22)
- Re: PCI Compliance Kees Leune (Mar 23)
- Re: PCI Compliance Roger Safian (Mar 23)
- Re: PCI Compliance Lovaas,Steven (Mar 23)
- Re: PCI Compliance Penn, Blake (Mar 23)
- Re: PCI Compliance Bill Ogle (Mar 23)