Educause Security Discussion mailing list archives
Re: PCI Wireless Question for other colleges/universities
From: Brad Judy <brad.judy () CU EDU>
Date: Mon, 25 Jan 2016 22:03:43 +0000
Yes, it is common to see contracts that simply say "each party will maintain PCI compliance when they are handling card data" or similar. Then the vendor assumes your network is secure because you signed something saying you'd be PCI compliant and allowed them to plug into your network without special extra steps. I've seen it multiple times. As part of PCI 3.x, contracts now need to have more explicit role definitions. One of the reasons for this was that there was a lot of finger pointing when things went wrong about who was responsible for what. That said, contracts tend to be auto-renewing (or at least a minimal rubber stamp step) so there's a good chance most vendor contracts have old language that isn't specific about PCI roles and it won't be updated without manual intervention. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Reedy Sent: Monday, January 25, 2016 2:47 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI Wireless Question for other colleges/universities It seems like a bit of a stretch to me, but I can see that as an interpretation. I'm not sure that a contract would save you in the event you are deemed a service provider though. Do you see any fallout with the equipment being on your site and getting tampered with? A skimmer placed on the device and not detected? Regardless, I agree a better safe than sorry approach might be best here. -Kevin From: Brad Judy <brad.judy () CU EDU> To: SECURITY () LISTSERV EDUCAUSE EDU, Date: 01/25/2016 04:33 PM Subject: Re: [SECURITY] PCI Wireless Question for other colleges/universities Sent by: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> That depends, are you 100% confident that whatever contract that was signed did not even slightly imply that your institution is a PCI service provider to the vendor? Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Reedy Sent: Monday, January 25, 2016 2:09 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI Wireless Question for other colleges/universities Hi Tim, I'm a little curious why you feel you have any PCI burden with a vendor that is not affiliated? Any exposure would be on them, with possible backlash being negative press for you because of selecting them. I don't see how the PCI burden transfers from vendor to host, that would be like an ISP being held responsible for a breach that occurred over the internet. -Kevin From: "Carroll, Tim" <Carrolltd () ROANESTATE EDU> To: SECURITY () LISTSERV EDUCAUSE EDU, Date: 01/25/2016 03:53 PM Subject: Re: [SECURITY] PCI Wireless Question for other colleges/universities Sent by: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> The previous advice you received is all correct. The only thing I would add is how you handle vendors who come on campus temporarily and want to use your network to process their payments. We handled this by requiring them (by policy and language on contracts) to use their own networks such as a cellular wireless point. Regards, Tim Tim Carroll Assistant Vice President and Chief Information Officer Information Technology Roane State Community College carrolltd () roanestate edu 865-882-4560 From: The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Paul Chauvet Sent: Monday, January 25, 2016 1:05 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI Wireless Question for other colleges/universities Hello all, I’m wondering how other colleges/universities handled a specific PCI requirement, 11.1.2, regarding unauthorized wireless access points. We have a few areas with payments going over wireless, but even if we changed things to not use wireless for payments, it appears that this requirement is applicable. We have taken appropriate steps to secure the terminals/computers, and had a skilled penetration testing company that was completely unable to break through to the payment terminals (or even through the network segmentation). We also have scanning in place that can detect rogue access points. I believe that the systems are secure but security isn’t compliance. In this day and age where anyone can turn their phone into an access point, there are always a number of them, most of them being transient. What have other colleges done when faced with these situations? We’re not a huge school that can afford the staff that it would take to go hunt the transient access points down. I’d appreciate anything you can share on- or off-list about this scenario. Thanks, Paul Chauvet Information Security Officer State University of New York at New Paltz chauvetp () newpaltz edu 845-257-3828 emlogo This email is intended for the addressee and may contain privileged information. If you are not the addressee, you are not permitted to use or copy this email or its attachments nor may you disclose the same to any third party. If this has been sent to you in error, please delete the email and notify us by replying to this email immediately. This message and any attachments contain confidential Excelsior College information intended for the specific individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited. This message and any attachments contain confidential Excelsior College information intended for the specific individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.
Current thread:
- PCI Wireless Question for other colleges/universities Paul Chauvet (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Manjak, Martin (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Paul Chauvet (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Brad Judy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Rumford, Charles C (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Paul Chauvet (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Paul Chauvet (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Manjak, Martin (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Carroll, Tim (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Kevin Reedy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Brad Judy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Kevin Reedy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Brad Judy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Kevin Reedy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Carroll, Tim (Jan 26)
- Re: PCI Wireless Question for other colleges/universities Eric Lukens (Jan 26)
- Re: PCI Wireless Question for other colleges/universities Dexter Caldwell (Jan 26)
- Re: PCI Wireless Question for other colleges/universities Kevin Reedy (Jan 27)
- Re: PCI Wireless Question for other colleges/universities Brad Judy (Jan 27)