Educause Security Discussion mailing list archives

Re: PCI compliance on a university network

From: "Plesco, Todd" <tplesco () CHAPMAN EDU>
Date: Tue, 22 Dec 2009 13:51:43 -0800

This mailing list has vendors on it?

Todd A. Plesco  CISM, CBCP
Chapman University, Director of Information Security
One University Drive, Orange, CA 92866
Phone: (714) 744-7979/Fax: (714) 744-7041


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael 
Johnson
Sent: Tuesday, December 22, 2009 4:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI compliance on a university network

We are a QSA that has addressed your scoping question at least once a
week from an educational institution or municipality. With all respect
to you finance department for being aware and working with you on PCI,
they are not security folks. I applaud your seeking other input.

Just a couple of points to stir things up.
Using a Gateway (CashNet, AuthNet or other) does not remove any
institutions responsibility for being PCI Compliant. A virtual terminal
or a gateway can  reduce scope. It is a near fatal error to rely on the
gateway to provide your institution coverage for PCI. It is the same for
the argument of tokenization or encryption. To quote Troy Leach from the
PCI Councel: "There is no silver bullet".

What is the level of documentation you have on the system? Identifying
all access points are critical. How are you monitoring the network for
rogue devices (such as you highlighted by a club using university
resources)? How are you quarantining?  

You make no mention of acceptable use policy. (I suggest you look at
this listserve archive to find some of the strings on this subject.) A
solid student and faculty signed acceptable use policy will help deter
wrongful activities (or at least give you the premise to legally pursue
perps).
 
Finally, it is important that someone on your team (you?) become the
knowledge leader in PCI. It may make sense for the university to reach
out to a QSA for a GAP conversation.

This is not a shameful plug but if we can help, please let me know off
line and I will respond. Otherwise, keep up the good fight.

Michael Johnson
ComplyGuard Networks.
516 887 0178

Current thread:

Re: PCI compliance on a university network, (continued)
- Re: PCI compliance on a university network Allison Dolan (Dec 22)
- Re: PCI compliance on a university network Flynn, Gerald (Dec 22)
- Re: PCI compliance on a university network John Ladwig (Dec 22)
- Re: PCI compliance on a university network Crary, Greg (Dec 22)
- Re: PCI compliance on a university network Robert Ellison (Dec 22)
- Re: PCI compliance on a university network Scott Sweren (Dec 22)
- Re: PCI compliance on a university network Paul Kendall (Dec 22)
- Re: PCI compliance on a university network Matthew Wollenweber (Dec 22)
- Re: PCI compliance on a university network John Ladwig (Dec 22)
- Re: PCI compliance on a university network Ellen Smout (Dec 22)
- Re: PCI compliance on a university network Plesco, Todd (Dec 22)
- Re: PCI compliance on a university network Ken Connelly (Dec 22)
- Re: PCI compliance on a university network Blake Penn (Dec 23)
- Re: PCI compliance on a university network Valdis Kletnieks (Dec 24)
- Re: PCI compliance on a university network Valdis Kletnieks (Dec 24)