Educause Security Discussion mailing list archives
Re: PCI compliance on a university network
From: "Plesco, Todd" <tplesco () CHAPMAN EDU>
Date: Tue, 22 Dec 2009 13:51:43 -0800
This mailing list has vendors on it? Todd A. Plesco CISM, CBCP Chapman University, Director of Information Security One University Drive, Orange, CA 92866 Phone: (714) 744-7979/Fax: (714) 744-7041 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael Johnson Sent: Tuesday, December 22, 2009 4:23 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI compliance on a university network We are a QSA that has addressed your scoping question at least once a week from an educational institution or municipality. With all respect to you finance department for being aware and working with you on PCI, they are not security folks. I applaud your seeking other input. Just a couple of points to stir things up. Using a Gateway (CashNet, AuthNet or other) does not remove any institutions responsibility for being PCI Compliant. A virtual terminal or a gateway can reduce scope. It is a near fatal error to rely on the gateway to provide your institution coverage for PCI. It is the same for the argument of tokenization or encryption. To quote Troy Leach from the PCI Councel: "There is no silver bullet". What is the level of documentation you have on the system? Identifying all access points are critical. How are you monitoring the network for rogue devices (such as you highlighted by a club using university resources)? How are you quarantining? You make no mention of acceptable use policy. (I suggest you look at this listserve archive to find some of the strings on this subject.) A solid student and faculty signed acceptable use policy will help deter wrongful activities (or at least give you the premise to legally pursue perps). Finally, it is important that someone on your team (you?) become the knowledge leader in PCI. It may make sense for the university to reach out to a QSA for a GAP conversation. This is not a shameful plug but if we can help, please let me know off line and I will respond. Otherwise, keep up the good fight. Michael Johnson ComplyGuard Networks. 516 887 0178
Current thread:
- Re: PCI compliance on a university network, (continued)
- Re: PCI compliance on a university network Allison Dolan (Dec 22)
- Re: PCI compliance on a university network Flynn, Gerald (Dec 22)
- Re: PCI compliance on a university network John Ladwig (Dec 22)
- Re: PCI compliance on a university network Crary, Greg (Dec 22)
- Re: PCI compliance on a university network Robert Ellison (Dec 22)
- Re: PCI compliance on a university network Scott Sweren (Dec 22)
- Re: PCI compliance on a university network Paul Kendall (Dec 22)
- Re: PCI compliance on a university network Matthew Wollenweber (Dec 22)
- Re: PCI compliance on a university network John Ladwig (Dec 22)
- Re: PCI compliance on a university network Ellen Smout (Dec 22)
- Re: PCI compliance on a university network Plesco, Todd (Dec 22)
- Re: PCI compliance on a university network Ken Connelly (Dec 22)
- Re: PCI compliance on a university network Blake Penn (Dec 23)
- Re: PCI compliance on a university network Valdis Kletnieks (Dec 24)
- Re: PCI compliance on a university network Valdis Kletnieks (Dec 24)