Educause Security Discussion mailing list archives
Re: PCI Processing Practices
From: "Youngquist, Jason R." <jryoungquist () CCIS EDU>
Date: Wed, 5 Oct 2011 19:34:41 +0000
A couple weeks ago the PCI Security Standards Council posted some guidance on point-to-point encryption. If you use only POS devices with "hardware/hardware point-to-point encryption, it looks like you can reduce your scope even more. See PDF link below pages 82-83. https://www.pcisecuritystandards.org/documents/P2PE_Hardware_Solution_%20Requirements_Initial_Release.pdf Jason Youngquist, CISSP Information Technology Security Engineer Technology Services Columbia College 1001 Rogers Street, Columbia, MO 65216 (573) 875-7334 jryoungquist () ccis edu http://www.ccis.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Marley, Tim Sent: Wednesday, October 05, 2011 2:30 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI Processing Practices Reviewing this thread it seems to me that we're throwing around a lot of terms without everyone agreeing to exactly what they mean. Processing, for example. By claiming to process the transactions internally, are you claiming that you work directly with the issuing or acquiring banks at the time of transaction to obtain an authorization? Or do you mean, that the systems that 'process' payment card transactions are on campus and subsequently go out to a processor/acquiring bank who then take the transaction from there? Simplifying the validation process and limiting the scope of your environment can be as simple as removing the storage of cardholder data in your environment. By not storing cardholder data, you can typically drop from a SAQ D to a SAQ C. We also use TouchNet as a component in our environment. However, this doesn't mean that we outsource all of our PCI transactions. We have a number of different campus merchants that use TouchNet services ranging from 3rd party hosted e-commerce to internal processes handing off transactions to the TouchNet payment gateway. The data is still crossing our network, and subsequently we end up with SAQ C or SAQ C-VT. JML- We've done both. We have outsourced business functions for other reasons than compliance costs, which subsequently reduced the scope of our compliance efforts. But it was done for the gains from outsourcing the business and not for compliance fears, etc. We have also outsourced the server functions for POS applications, reducing our scope and dropping us from a SAQ D to a SAQ C. To drop it any further, we would have to outsource the physical network operations. Something we aren't likely to do anytime soon. In the end, we still end up filing a SAQ D for the University along with all of the controls that go along with it. Not ideal, but necessary due to the current business environment and needs. Tim Timothy J. Marley CPA * CISSP * CISM * CISA * GSNA * GPEN * PCI ISA * CIPP University of Oklahoma Information Technology, Security Team office 405.325.5418 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John Ladwig Sent: Monday, October 03, 2011 5:04 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI Processing Practices I'm following this thread with interest, but can someone tell me whether and how you're outsourcing brick-and-mortar card-present payment processing where there are complex POS environments like bookstores, cafeterias, sports facilities? Do you outsource the business, or outsource only a portion of the operations? And if the latter, how? -jml
Scott O Bradner <sob () HARVARD EDU> 2011-10-02 10:58 >>>
almost totally outsourced (maybe 1 or two merchants not) outsourcing finished about 3 years ago Scott On Sep 30, 2011, at 2:41 PM, Paula E. Johnson wrote:
We are reviewing our campus PCI processing practices and are curious how many of you have decided to do your own credit card processing and how may have decided to totally outsource this sort of transaction. Can you please respond with whether you satisfy your PCI needs internally, outsourced, or a combination. Thanks in advance for your help. Paula E. Johnson Fiscal Support Supervisor IT Services University of Arkansas Fayetteville, AR 72701 479-575-5870
Current thread:
- Re: PCI Processing Practices Scott O Bradner (Oct 02)
- Re: PCI Processing Practices John Ladwig (Oct 03)
- Re: PCI Processing Practices Marley, Tim (Oct 05)
- Re: PCI Processing Practices Youngquist, Jason R. (Oct 05)
- Re: PCI Processing Practices Marley, Tim (Oct 05)
- Re: PCI Processing Practices Marley, Tim (Oct 05)
- Re: PCI Processing Practices John Ladwig (Oct 03)
- <Possible follow-ups>
- Re: PCI Processing Practices David C Kovarik (Oct 03)
- Re: PCI Processing Practices Angela L Embree (Oct 03)