Main Nav

Wondering if anyone has a policy or risk assessment on use of their college network (wired port, routing, and Internet connection) by 3rd party vendors for transmission of encrypted credit and debit card transactions. We've got a vendor who wants to set up a "self service" cafe in our Library. Students would swipe their credit/debit card on their equip, and presto, they get a sandwich out of a machine. The vendor wants us to provide a wired connection to the Internet for their machine. We feel the vendor should pay for their own separate ISP connection and wired pathway, but wondered if others have a risk assessment, policy, SLA, data, or advice on it.
 
Thanks in advance for any input,
- John
 
John Taylor
Dean of Information Technology
                                                     

    Cayuga Community College

    197 Franklin Street, Auburn, NY, 13021-3099

    315.294.8520  x2220

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

John,

We don't have a formal policy, but our practice is consistent to what you described.  We have a few vendors on campus with similar network needs.  We provide them with a circuit on campus, but they need to connect it to an independent provider of some sort.

Joe
______________________________________
Joseph Moreau
Chief Technology Officer
State University of New York at Oswego
509 Culkin Hall
7060 State Route 104
Oswego, NY  13126
joseph.moreau@oswego.edu
315-312-5500 office
315-806-2166 mobile
315-312-5799 fax
______________________________________


John,

Good afternoon. We tell vendors that we do not allow credit card numbers on our campus network, period. We will not provide them drops from the campus network if it is going to involve transmitting credit card data. We suggest that they either use a 3G or 4G wireless connection, or we will help them obtain their own wired Internet access that does not run on the campus network.

As an example, last year we outsourced the campus bookstore to Barnes and Noble. They installed their own T1 connection for the bookstore for their credit card transactions.

Fortunately, we have the good fortune of working with a Financial Services team that supports our stance with regard to PCI compliance: no credit card numbers are transmitted, or stored, on the campus network, or campus servers for that matter.

Good luck.

Fred

From: The EDUCAUSE CIO Constituent Group Listserv <CIO@LISTSERV.EDUCAUSE.EDU>
Date: Wed, 4 Apr 2012 04:04:49 -0400
To: <CIO@LISTSERV.EDUCAUSE.EDU>
Subject: [CIO] Vendors and network use risk for credit card/EFT transactions

Wondering if anyone has a policy or risk assessment on use of their college network (wired port, routing, and Internet connection) by 3rd party vendors for transmission of encrypted credit and debit card transactions. We've got a vendor who wants to set up a "self service" cafe in our Library. Students would swipe their credit/debit card on their equip, and presto, they get a sandwich out of a machine. The vendor wants us to provide a wired connection to the Internet for their machine. We feel the vendor should pay for their own separate ISP connection and wired pathway, but wondered if others have a risk assessment, policy, SLA, data, or advice on it.
 
Thanks in advance for any input,
- John
 
John Taylor
Dean of Information Technology
                                                     

    Cayuga Community College

    197 Franklin Street, Auburn, NY, 13021-3099

    315.294.8520  x2220

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Message from mike.cunningham@pct.edu

Fred, what would you do if the college owned the vending equipment in question or ran your own bookstore? I think I would agree that no 3rd party be allowed to use your campus network for profit, but what if your Campus Police office wanted to let students pay fines using a credit card. Would you not allow them to do that?

 

Ø  …  no credit card numbers are transmitted, or stored, on the campus network, or campus servers for that matter.

 

We don’t store credit card numbers, and our credit card processing is through a third party vendor – the same way most schools do it these days, I suspect.  So my obvious question is about the verb “transmit”.  If a student wanted to register for classes and then pay tuition and fees from on campus, would you tell them they had to go off campus to pay tuition and fees because they weren’t allowed to “transmit” a credit card number over the campus network?  And if so, what technical means would you have on campus to prevent them from doing so?  And in any case, wouldn’t such “transmission” be over https and so wouldn’t be in clear text?

 

Jerry

 

----------------------------------------------------------------------------------------
Jerry Bryan • Vice President of Information Services • Pellissippi State • 10915 Hardin Valley Road • P.O. Box 22990 • Knoxville, TN 37933-0990

Voice: 865 539-7127 •  Fax: 865 539-7653 •  E-mail: jbryan@pstcc.edu

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

F
--
Kamran Khan
Rice University
Vice Provost for Information Technology
Mudd Building - MS 119
PO Box 1892
Houston TX 77251-1892

Voice: 713.348.3500
fax: 713.348.3501
kamran@rice.edu
www.rice.edu
From: "Bryan, Jerry" <jbryan@PSTCC.EDU>
Sender: The EDUCAUSE CIO Constituent Group Listserv <CIO@LISTSERV.EDUCAUSE.EDU>
Date: Wed, 4 Apr 2012 15:39:34 -0400
To: <CIO@LISTSERV.EDUCAUSE.EDU>
ReplyTo: The EDUCAUSE CIO Constituent Group Listserv <CIO@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [CIO] Vendors and network use risk for credit card/EFT transactions

Ø  …  no credit card numbers are transmitted, or stored, on the campus network, or campus servers for that matter.

 

We don’t store credit card numbers, and our credit card processing is through a third party vendor – the same way most schools do it these days, I suspect.  So my obvious question is about the verb “transmit”.  If a student wanted to register for classes and then pay tuition and fees from on campus, would you tell them they had to go off campus to pay tuition and fees because they weren’t allowed to “transmit” a credit card number over the campus network?  And if so, what technical means would you have on campus to prevent them from doing so?  And in any case, wouldn’t such “transmission” be over https and so wouldn’t be in clear text?

 

Jerry

 

----------------------------------------------------------------------------------------
Jerry Bryan • Vice President of Information Services • Pellissippi State • 10915 Hardin Valley Road • P.O. Box 22990 • Knoxville, TN 37933-0990

Voice: 865 539-7127 •  Fax: 865 539-7653 •  E-mail: jbryan@pstcc.edu

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

I am with Fred on this one. If the credit card, encrypted or not, intercepted and cracked - no encryption is unbeatable, the university might have some liability if the card owner takes legal action or just wants to make a stink. Another consideration is that the vendor's system would be off-line in the event of network down time for whatever reason be scheduled, utility failure, corrupted config. Lots of ways for a net to go down.

A T-1 connection is not that expensive and is totally under the vendor's control, especially if the demarc is placed such that no university wiring is used. However, we have used our cable to extend" the demarc across campus.

If someone on campus is championing this installation and they are powerful, it may be moot.

As my momma used to say, "better to be safe than sorry."

Bob Paver

As you simplify your life, the laws of the universe will be simpler; solitude will not be solitude, poverty will not be poverty, nor weakness weakness.

- Henry David Thoreau -

Hi all,

Interesting discussion.

Regarding offices that want to process credit cards: If the campus police wanted to let students pay fines by credit cards we would probably help them to get a phone line for the credit card machine. We would keep the transactions off the campus network.

Like I mentioned, it helps to have a Financial Services team that understands and supports the need for simplifying PCI compliance.

Thanks,

Fred



Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.