Educause Security Discussion
mailing list archives
Re: PCI Compliance
From: "Lovaas,Steven" <Steven.Lovaas () COLOSTATE EDU>
Date: Fri, 23 Mar 2007 08:58:18 -0600
Using PCI-compliant software only addresses part of the rules. If the credit card information traverses your network
(if the bits traverse your wires) on their way between the client and the server, wherever the server lives, then there
are things you are required to do in order to protect your network. Using a remotely hosted, PCI-compliant vendor for
payments makes the job a lot easier, but you still need to be protecting your infrastructure if it's taking part in the
So here are a few scenarios to make this clear:
1) Off-campus user with remotely hosted app:
User out in the world (not on your network) goes to your university bookstore site to make a purchase, shops and gets
to the shopping cart. Upon clicking "pay", the user is redirected to the external site, so that the credit card
information never touches your network. In this case, you just need to make sure the external vendor's software is
certified and that your contracts with them include that stipulation.
[Basic concept: hand off the liability]
2) On-campus user with remotely hosted app:
User on campus uses the same system described in (1). Since the credit card information is typed into the browser on a
campus computer, you need to make sure that (among other things) your computers have anti-virus protection, that the
app is using encryption (HTTPS), and there are some other rules about user education, etc. This situation isn't
significantly different from the Point-of-Sale card swipers in your brick-and-mortar bookstore: if they move across
your data network on their way to the remote authorization vendor, you need to protect that part of your infrastructure.
[Basic concept: protect the data in entry & transit]
3) Payment server hosted on campus (with your own or a third-party vendor's software):
This is the most complicated to get right, and involves much more in the way of network protection for the server and
the client-server traffic. It involves the full brunt of the PCIDSS, and it's hard enough to get this right that a lot
of people have moved to third-party vendors hosting payment services offsite (like CashNET, etc).
[Basic concept: protect the data in entry, transit and storage]
I hope this has made the situation clearer... I'd encourage you to go read the full PCIDSS (available at
https://www.pcisecuritystandards.org/tech/index.htm). Whatever you think about the payment card industry's tactics,
what they're requiring is actually good security and provides a good model to talk about securing networks in general.
Steven Lovaas, MSIA, CISSP
Network Security Manager
Academic Computing & Network Services
Colorado State University
Steven.Lovaas () ColoState EDU
From: Roger Safian [mailto:r-safian () NORTHWESTERN EDU]
Sent: Friday, March 23, 2007 7:42 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI Compliance
At 08:23 AM 3/23/2007, Kees Leune put fingers to keyboard and wrote:
On Thu, Mar 22, 2007 at 01:38:29PM -0400, Theresa M Rowe wrote:
Has anyone had success with achieving compliance to the PCI standard?
We've hit some confusion here. If we:
* license software that takes credit card payment over the web
* and the web servers are located on our campus
Aren't we obligated to make sure that the software is "PCI compliant"
All organizations that handle credit card payments in any form (store,
forward, accept, etc.) are required to ensure that they, but also all
their vendors (the entire chain) are PCI compliant.
So, technically, even if your entire organization is secure, but you
use non pci-compliant software to process credit card payments, you are
in violation of the standard.
Here's my understanding, IANAL. PCI requires that you use products and services that are PCI compliant. If you use
software, you need to ask the vendor if they are PCI compliant. You also need to ensure that the contract they sigh
states they are compliant. Beyond that, you have to do nothing. If the vendor is wrong about their compliance, then
they have legal issues because of the contract and you should be able to pass the buck. Basically that's what the
banks are doing.
Roger A. Safian
r-safian () northwestern edu (email) public key available on many key servers.
(847) 491-4058 (voice)
(847) 467-6500 (Fax) "You're never too old to have a great childhood!"