CoSN Community

Expand all | Collapse all

PCI DSS compliance

  • 1.  PCI DSS compliance

    Posted 12-11-2018 16:53
    Hi,

    How is everyone handling the explosion of credit card readers attached to their networks? The majority of the time we only find out about these devices after the fact. Trying to get a handle on the risk level for the District from these transactions over our network

    Thanks in advance

    ------------------------------
    Alan Cunningham
    Information Security Officer
    Washoe County School District
    Reno NV
    (775) 789-3400
    ------------------------------


  • 2.  RE: PCI DSS compliance

    Posted 12-12-2018 09:41

    We don't permit them because we are not PCI compliant. 

     

    Thanks,

    George

     

    George Frazier, M.Ed., CISSP

    Director of Information Systems

    Lower Merion School District

    301 E. Montgomery Avenue

    Ardmore, PA 19003

    Phone: 610-645-1925 Email: frazier@lmsd.org

     

    The information contained in this e-mail transmission is privileged and confidential and intended only for the use of the individual(s) and/or entity(ies) named above. If you are not the intended recipient, you are hereby notified that any unauthorized disclosure, copying, distribution or taking of any action in reliance on the contents of the e-mail materials is strictly prohibited. The review of this material by any individual other than the intended recipient shall not constitute voluntary disclosure of the information. If you have received this e-mail transmission in error, please immediately notify me by telephone at 610-645-1925.  Thank you.

     






  • 3.  RE: PCI DSS compliance

    Posted 12-13-2018 07:56
    Do you have the credit card readers segregated on a separate VLAN? When I was in a school we implemented that as part of the PCI Compliance process.

    ------------------------------
    Susan Bearden
    Chief Innovation Officer
    Consortium for School Networking
    sbearden@cosn.org
    ------------------------------



  • 4.  RE: PCI DSS compliance

    Posted 12-12-2018 11:15
    As a former cybersecurity specialist for a retail company, one of the biggest things we did to become PCI compliant was to purchase card readers that encrypt the data at the the card reader, and keep it encrypted all the way to the payment processor.  Only the payment processor had the encryption keys, so our company did not see, transmit, or store any unencrypted cardholder data.  This method kept the data secure, drastically reduced the scope of the audit, and made compliance much easier.  You'll also want to ask for the SOC reports of the card reader manufacturer to ensure they have passed their security audits.  I hope that helps.

    ------------------------------
    James Costello
    Security Specialist
    Cypress-Fairbanks ISD
    Houston TX
    (832) 214-9799
    ------------------------------