Principia College (commonly referred to as Principia or Prin) is a private liberal arts college in Elsah, Illinois, United States. A four-year coeducational institution, the college was founded in 1912 by Mary Kimball Morgan, and its stated purpose is “to serve the Cause of Christian Science.” The campus is located on rural total of 2,500 acres (10 km2) acres in the Metro East region of Southern Illinois, thirty miles north of St. Louis. Principia is a Tier 4 merchant with 5 merchant ID’s at their main campus. They have a hosted virtual terminal solution with staff of 10 processing transactions via their virtual terminal.
Higher Education Principia
Projects
Situation
Business Case
isolate the session or protect the workstation and therefore at least 10 out of the 12 PCI requirements still apply. In the case of Principia, they have a small number of agents, distributed across campus and therefore did not feel that they wanted to budget for and manage a large number of controls.
The main objective of the Head of Compliance was to
- achieve compliance
- reduce scope as much as possible.
- Permanently remove network segments from scope of future assessments
- Reduce complexity
- Remain payment gateway agnostic so that provider could be changed at any time without problems or large financial outlay
Possible Solutions
Principia had as options number of possible solutions:
- Dual Workstations
Prohibitive due to costs, space and the lack of administrative control to ensure both required controls were implemented but also managed and testable. This solution is not user friendly.
- Hypervisor
This requires mixing Virtual Machines of different trust levels and mixed-mode environments.As above, without full administrative capabilities over requirements 2, 5, 6 10 and 11 it hard to implement, manage and test appropriately and required a lot of additional logging.
- Homemade USB key
Device management, network segregation, tampering, removing in addition to the standard admin workload plus patching, logging, etc. made this a solution more suited to at home or Internet Café browsing vs a locked down compliance environment.
- Commercial ‘VPN Device’
The devices are secure, portable, reasonably priced and enabled central configuration, device locking, and session clearing. However, a central VPN device is required at additional costs, there are still issues with device distribution (physical) and management; initial credentials could be key logged and there was no ability to segregate networks in the absence of the vpn device.
- A Commercial Secure Virtual Workspace
Similar to a usb device but software, not hardware based, however, OS/Browser support and updates are a concern and requirements/needs may not be met in a timely manner. Internal management is still required.
The University IT staff had been evaluating various options for segregating these workstations and had found no financially viable solution to eliminate the need for controls on these workstations and attached networks.
Solution
Outcome
messaging and fax.