Educause Security Discussion mailing list archives

Re: Merchant services credit card project

From: Steve Bernard <sbernard () GMU EDU>
Date: Mon, 27 Jun 2005 00:25:59 -0400

My understanding is in line with what you have expressed, but with
some extensions.  For example, if the processing system(s) interact
with a database or file server, and store transaction information on
it, then that server is included although it may be separated from
the processing gateway by a firewall.  It's also a good idea to audit
the systems used by developers or administrators who directly access
the processing gateway and/or related ancillary systems.  This falls
into the realm of transitive trust.  It's also important to consider
onsite POS (point of sale) devices and similar systems that initiate
credit card transactions.  Many such devices run stripped down MS
Windows operating systems, some dating back to Windows 98.  Given the
lack of explicit guidelines in this area, an organization could
decide not to include these, but they should be considered.  The
criticality is influenced by the network architecture and the
processing products involved.  There's a big difference between a POS
device on a private network utilizing secure communications protocols
to one that may have a public IP address on a shared network, and
using a simple serial-to-IP communication protocol.



Steve


On Jun 26, 2005, at 11:19 PM, Willis Marti wrote:

For example, the term public facing (used in the
self assessment) is something that we don't seem to agree on here.
Does
this mean the public Internet or basically anyone (including
campus users)
that interface to the front-end transaction gateway?


 We have about 10 different processing sites physically on our main
campus.
Our understanding is that for each processing system, I have to
establish a
demarcation point, using a firewall that does NAT, such that all
traffic to
a credit card system flows through that firewall. Any system
"behind" the
firewall must be covered by the assessment. Anything outside that
firewall
is the public. So we have a campus (and some departmental)
firewall, but we
also have a firewall in front of every processing system. Our
residence halls,
for example, are behind the campus firewall, but are "public"
compared to any
of the card processing systems.
Cheers,
 Willis Marti
 Associate Director for Networking
 Computing & Information Services
 Texas A&M University

Current thread:

Merchant services credit card project Theresa M Rowe (Jun 24)
- <Possible follow-ups>
- Re: Merchant services credit card project Scott Genung (Jun 26)
- Re: Merchant services credit card project Willis Marti (Jun 26)
- Re: Merchant services credit card project Scott Genung (Jun 26)
- Re: Merchant services credit card project Steve Bernard (Jun 26)
- Re: Merchant services credit card project Steve Bernard (Jun 26)
- Re: Merchant services credit card project Willis Marti (Jun 27)
- Re: Merchant services credit card project Willis Marti (Jun 27)
- Re: Merchant services credit card project Theresa M Rowe (Jun 27)