Main Nav

We're preparing for a network penetration test for PCI compliance audit and we are stuck on a merry-go-round about the scope of "cardholder environment." 
 
We accept credit cards through our website and we have credit card readers in several locations that transmit data via Ethernet.  We do not store credit card data anywhere.  Is the scope of cardholder environment limited to the web servers, databases, and network appliances where credit card data will pass through or does it also include infrastructure that has nothing to do with processing credit card data but is considered part of the cardholder environment by virtue of it being on the same network?
 
 
 
Scott Ciliberti, Chief Information Officer
Enterprise Technology Services
536 Mission Street, Room P-49
San Francisco, CA 94105
v: 415.369.5365
 
I'm participating in the AIDS Lifecycle; a 7-day 545 mile cycling fundraising event between SF and LA.  http://www.tofighthiv.org/goto/sciliberti to make a donation.
AttachmentSize
unnamed_attachment.26.02 KB

Comments

Message from christb@sou.edu

We accept credit cards through our website and we have credit card readers in several locations that transmit data via Ethernet.  We do not store credit card data anywhere.  Is the scope of cardholder environment limited to the web servers, databases, and network appliances where credit card data will pass through or does it also include infrastructure that has nothing to do with processing credit card data but is considered part of the cardholder environment by virtue of it being on the same network?

It is common to segregate the machines that process credit card data on to their own "network."  It was sufficient for us to put them into their own VLAN(s) and firewall them from the rest of campus and the Internet.  This way, we avoided having to show compliance on every workstation, server, etc.

--
Brad Christ
Chief Information Officer
Southern Oregon University


********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Another common practice is to use encryption.  As you may be aware, the standard does promote/allow the use of strong encryption to transmit cardholder data across a public network.  In cases where you have card processing stations geographically distant from your web server infrastructure—you could purchase inexpensive firewall devices and place them in front of your card processing systems.  (Assumption you are protecting your web infrastructure as well…)  You can then use those devices to establish a VPN connection back to your web server/infrastructure.  Both firewalls (and everything behind them) are then in scope for PCI DSS Compliance, but the network in between is not.

 

Many of us are using payment gateways, such as Touchnet, which allow you to significantly reduce your scope, as the service provider handles credit card transactions, including authorization and settlement.  The CDE is effectively outsourced to a service provider, which allows you to fill out the ‘short version’ of the SAQ, rather than the more extensive (b-d).

 

Regards,

 

Tammy L. Clark, CISSP, CISM, CISA, HISP, CRISC, PMP

Chief Information Security Officer

Information Security Coordination

tlclark@gsu.edu

404-413-4509

 

We've spent a lot of time and money on PCI compliance, and scope of the cardholder environment has been a significant problem to work through.  The opinion from our QSA auditor we had was that the credit card readers are withing scope as they transmit PAN.   We also implemented a PCI-specific VLAN as previously described by Brad.  In particular, we had to pay attention to any upgrade processes for the card readers and how those credit card readers are touched by any upgrade  or security protections.

Theresa
 

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.