Re: PCI Wireless Question for other colleges/universities

["Carroll, Tim" <Carrolltd () ROANESTATE EDU>]

The previous advice you received is all correct.  The only thing I would add is how you handle vendors who come on 
campus temporarily and want to use your network to process their payments.  We handled this by requiring them (by 
policy and language on contracts) to use their own networks such as a cellular wireless point.

Regards,

Tim
Tim Carroll
Assistant Vice President and Chief Information Officer
Information Technology
Roane State Community College
carrolltd () roanestate edu<mailto:carrolltd () roanestate edu>
865-882-4560

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Paul 
Chauvet
Sent: Monday, January 25, 2016 1:05 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI Wireless Question for other colleges/universities

Hello all,

I'm wondering how other colleges/universities handled a specific PCI requirement, 11.1.2, regarding unauthorized 
wireless access points.  We have a few areas with payments going over wireless, but
even if we changed things to not use wireless for payments, it appears that this requirement is applicable.

We have taken appropriate steps to secure the terminals/computers, and had a skilled penetration testing company that 
was completely unable to break through to the payment terminals (or even through the network segmentation).  We also 
have scanning in place that can detect rogue access points.  I believe that the systems are secure but security isn't 
compliance.

In this day and age where anyone can turn their phone into an access point, there are always a number of them, most of 
them being transient.  What have other colleges done when faced with these situations?  We're not a huge school that 
can afford the staff that it would take to go hunt the transient access points down.

I'd appreciate anything you can share on- or off-list about this scenario.

Thanks,

Paul Chauvet
Information Security Officer
State University of New York at New Paltz
chauvetp () newpaltz edu<mailto:chauvetp () newpaltz edu>
845-257-3828
[emlogo]


________________________________

This email is intended for the addressee and may contain privileged information. If you are not the addressee, you are 
not permitted to use or copy this email or its attachments nor may you disclose the same to any third party. If this 
has been sent to you in error, please delete the email and notify us by replying to this email immediately.