Main Nav

Posted by taylorjm on April 4, 2012
Wondering if anyone has a policy or risk assessment on use of their college network (wired port, routing, and Internet connection) by 3rd party vendors for transmission of encrypted credit and debit card transactions. We've got a vendor who wants to set up a "self service" cafe in our Library. Students would swipe their credit/debit card on their equip, and presto, they get a sandwich out of a machine. The vendor wants us to provide a wired connection to the Internet for their machine. We feel the vendor should pay for their own separate ISP connection and wired pathway, but wondered if others have a risk assessment, policy, SLA, data, or advice on it.
 
Thanks in advance for any input,
- John
 
John Taylor
Dean of Information Technology
                                                     

    Cayuga Community College

    197 Franklin Street, Auburn, NY, 13021-3099

    315.294.8520  x2220

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

John,

We don't have a formal policy, but our practice is consistent to what you described.  We have a few vendors on campus with similar network needs.  We provide them with a circuit on campus, but they need to connect it to an independent provider of some sort.

Joe
______________________________________
Joseph Moreau
Chief Technology Officer
State University of New York at Oswego
509 Culkin Hall
7060 State Route 104
Oswego, NY  13126
joseph.moreau@oswego.edu
315-312-5500 office
315-806-2166 mobile
315-312-5799 fax
______________________________________


Posted by: jmoreau on April 4, 2012
John,

Good afternoon. We tell vendors that we do not allow credit card numbers on our campus network, period. We will not provide them drops from the campus network if it is going to involve transmitting credit card data. We suggest that they either use a 3G or 4G wireless connection, or we will help them obtain their own wired Internet access that does not run on the campus network.

As an example, last year we outsourced the campus bookstore to Barnes and Noble. They installed their own T1 connection for the bookstore for their credit card transactions.

Fortunately, we have the good fortune of working with a Financial Services team that supports our stance with regard to PCI compliance: no credit card numbers are transmitted, or stored, on the campus network, or campus servers for that matter.

Good luck.

Fred

From: The EDUCAUSE CIO Constituent Group Listserv <CIO@LISTSERV.EDUCAUSE.EDU>
Date: Wed, 4 Apr 2012 04:04:49 -0400
To: <CIO@LISTSERV.EDUCAUSE.EDU>
Subject: [CIO] Vendors and network use risk for credit card/EFT transactions

Wondering if anyone has a policy or risk assessment on use of their college network (wired port, routing, and Internet connection) by 3rd party vendors for transmission of encrypted credit and debit card transactions. We've got a vendor who wants to set up a "self service" cafe in our Library. Students would swipe their credit/debit card on their equip, and presto, they get a sandwich out of a machine. The vendor wants us to provide a wired connection to the Internet for their machine. We feel the vendor should pay for their own separate ISP connection and wired pathway, but wondered if others have a risk assessment, policy, SLA, data, or advice on it.
 
Thanks in advance for any input,
- John
 
John Taylor
Dean of Information Technology
                                                     

    Cayuga Community College

    197 Franklin Street, Auburn, NY, 13021-3099

    315.294.8520  x2220

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Posted by: fmiller on April 4, 2012
Message from mike.cunningham@pct.edu

Fred, what would you do if the college owned the vending equipment in question or ran your own bookstore? I think I would agree that no 3rd party be allowed to use your campus network for profit, but what if your Campus Police office wanted to let students pay fines using a credit card. Would you not allow them to do that?

 

Posted by: listserv-anon on April 4, 2012

Ø  …  no credit card numbers are transmitted, or stored, on the campus network, or campus servers for that matter.

 

We don’t store credit card numbers, and our credit card processing is through a third party vendor – the same way most schools do it these days, I suspect.  So my obvious question is about the verb “transmit”.  If a student wanted to register for classes and then pay tuition and fees from on campus, would you tell them they had to go off campus to pay tuition and fees because they weren’t allowed to “transmit” a credit card number over the campus network?  And if so, what technical means would you have on campus to prevent them from doing so?  And in any case, wouldn’t such “transmission” be over https and so wouldn’t be in clear text?

 

Jerry

 

----------------------------------------------------------------------------------------
Jerry Bryan • Vice President of Information Services • Pellissippi State • 10915 Hardin Valley Road • P.O. Box 22990 • Knoxville, TN 37933-0990

Voice: 865 539-7127 •  Fax: 865 539-7653 •  E-mail: jbryan@pstcc.edu

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Posted by: jbryan on April 4, 2012
F
--
Kamran Khan
Rice University
Vice Provost for Information Technology
Mudd Building - MS 119
PO Box 1892
Houston TX 77251-1892

Voice: 713.348.3500
fax: 713.348.3501
kamran@rice.edu
www.rice.edu
From: "Bryan, Jerry" <jbryan@PSTCC.EDU>
Sender: The EDUCAUSE CIO Constituent Group Listserv <CIO@LISTSERV.EDUCAUSE.EDU>
Date: Wed, 4 Apr 2012 15:39:34 -0400
To: <CIO@LISTSERV.EDUCAUSE.EDU>
ReplyTo: The EDUCAUSE CIO Constituent Group Listserv <CIO@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [CIO] Vendors and network use risk for credit card/EFT transactions

Ø  …  no credit card numbers are transmitted, or stored, on the campus network, or campus servers for that matter.

 

We don’t store credit card numbers, and our credit card processing is through a third party vendor – the same way most schools do it these days, I suspect.  So my obvious question is about the verb “transmit”.  If a student wanted to register for classes and then pay tuition and fees from on campus, would you tell them they had to go off campus to pay tuition and fees because they weren’t allowed to “transmit” a credit card number over the campus network?  And if so, what technical means would you have on campus to prevent them from doing so?  And in any case, wouldn’t such “transmission” be over https and so wouldn’t be in clear text?

 

Jerry

 

----------------------------------------------------------------------------------------
Jerry Bryan • Vice President of Information Services • Pellissippi State • 10915 Hardin Valley Road • P.O. Box 22990 • Knoxville, TN 37933-0990

Voice: 865 539-7127 •  Fax: 865 539-7653 •  E-mail: jbryan@pstcc.edu

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Posted by: RiceUniversity on April 4, 2012
I am with Fred on this one. If the credit card, encrypted or not, intercepted and cracked - no encryption is unbeatable, the university might have some liability if the card owner takes legal action or just wants to make a stink. Another consideration is that the vendor's system would be off-line in the event of network down time for whatever reason be scheduled, utility failure, corrupted config. Lots of ways for a net to go down.

A T-1 connection is not that expensive and is totally under the vendor's control, especially if the demarc is placed such that no university wiring is used. However, we have used our cable to extend" the demarc across campus.

If someone on campus is championing this installation and they are powerful, it may be moot.

As my momma used to say, "better to be safe than sorry."

Bob Paver

As you simplify your life, the laws of the universe will be simpler; solitude will not be solitude, poverty will not be poverty, nor weakness weakness.

- Henry David Thoreau -

Posted by: paver on April 4, 2012
Hi all,

Interesting discussion.

Regarding offices that want to process credit cards: If the campus police wanted to let students pay fines by credit cards we would probably help them to get a phone line for the credit card machine. We would keep the transactions off the campus network.

Like I mentioned, it helps to have a Financial Services team that understands and supports the need for simplifying PCI compliance.

Thanks,

Fred



Posted by: fmiller on April 5, 2012
Post a Comment

Research and Publications

Conferences and Events

Career Development

Focus Areas and Initiatives

Connect and Contribute

About EDUCAUSE

Close

 


Current Issue
March/April 2013
EDUCAUSE Review

Publications

Research

Close


Annual Conference
October 15–18, 2013
Save the date!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

See All Events

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center

Find or Post a Job

Leadership and Management Programs

EDUCAUSE Institute
Advanced Programs
Project Management

 

Fellowships and Awards

Fellowships
Awards Programs

Getting Involved

Mentoring
Volunteer
Speak at an Event

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

Advance Your Career

 

Close

Latest Topics

EDUCAUSE organizes its efforts around three IT Focus Areas

 

Enterprise and Infrastructure

Enterprise and
Infrastructure

Policy and Security

Policy and
Security

Teaching and Learning

Teaching and
Learning

 

Join These Programs If Your Focus Is

Close

From the Blogs
The Role of Campus Leadership in Ensuring IT Accessibility
by
Diana Oblinger

Find Others

Share Ideas

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

Create Your Profile

 

Close

2013 Strategic Priorities

  • Connected Learning
  • Enterprise IT
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.
 

Discover Membership