Skip to content

    Pages for:

  • Faculty
  • Staff
  • Students
Cornell University
Cornell University
Office of the Treasurer
  • About
    • Contact
    • Events
    • News
  • Cash Management
    • Processing International Funds
      • Int’l Currency Conversion
      • International Exchange Rates
    • Processing Credit Cards
      • Getting Set Up
        • Requirements
        • Setting Up a New Merchant ID
        • Changing Your Merchant Setup
        • Choosing a Processing Option
        • Merchant IDs and KFS Accounts
        • Reporting Tools
      • FreedomPay Support, Guides and Forms
    • Processing Cash and Checks
      • Armored Car Service
      • Lockbox Processing
      • Remote Deposit Capture
      • Spotting Counterfeit Currency
      • Spotting Forged Checks
    • Processing Wires and ACH Payments
    • Paying Vendors by Wire, ACH, or Draft
    • Unidentified Receipts
    • Policies and Training
    • Forms
  • Debt
    • Investor Relations
      • Bond Financing Disclosure
      • CU Debt Rating
      • Bonds, Mortgages, Notes Payable
      • Bond Offering Circulars
    • Internal Debt
      • Internal Borrowing Guidelines
      • Internal Borrowing Rate
      • Loan Program for Captial Projects
    • Private Use Compliance
      • Private Use Policy and Guidelines
      • Private Use Questionnaires
      • Buildings Funded with Tax-Exempt Debt
  • forms
  • CU policies
  • training
  • KFS Support
  • e-SHOP

In this section

  • Processing International Funds
    • Int’l Currency Conversion
    • International Exchange Rates
  • Processing Credit Cards
    • Getting Set Up
      • Requirements
      • Setting Up a New Merchant ID
      • Changing Your Merchant Setup
      • Choosing a Processing Option
      • Merchant IDs and KFS Accounts
      • Reporting Tools
    • FreedomPay Support, Guides and Forms
  • Processing Cash and Checks
    • Armored Car Service
    • Lockbox Processing
    • Remote Deposit Capture
    • Spotting Counterfeit Currency
    • Spotting Forged Checks
  • Processing Wires and ACH Payments
  • Paying Vendors by Wire, ACH, or Draft
  • Unidentified Receipts
  • Policies and Training
  • Forms

Network Requirements

Units that are maintaining a network and system architecture used to process credit card transactions must complete a diagram or description of the PCI-related environment being used.

The diagram or description must include the following information:

  • What systems are in the PCI environment, including servers, desktops, and networking gear.
  • What applications are running. Include servers, like Web servers or ssh servers, as well as specific applications that might run on those servers, such as a shopping cart product that runs in the Web server.
  • Where the credit card data is stored, how it is stored, and how it is encrypted.
  • What path the credit card data takes as it is processed.
  • What connections can be made into and out of the PCI environment. Indicate specific protocols being used.
  • Where any firewalls, intrusion detection systems (IDSs), or other hardware connect into the environment.

Connecting to the CIT PCI-Compliant Network

To assist units in creating a compliant network infrastructure, CIT will maintain a PCI-compliant network that will satisfy many of the network-based PCI requirements. Units running systems that must be PCI-compliant will logically route those systems through this server to enable the server to enforce the necessary PCI rules upon the devices and any traffic to and from them. To connect to the security server, each unit will purchase a small virtual private networking (VPN) device that will be configured by CIT to create a private network between it and the central security server. This configuration will allow such private networks to be deployed anywhere on the Cornell campus or on the Internet. (Remote offices or traveling staff members can easily deploy the small VPN device wherever they are.) Any system, from point-of-sale systems to desktop systems to Web servers, must reside behind these VPN devices.

Required Documentation

Each unit is required to create and maintain documentation that is specific to the unit’s network and firewall configuration, business practices and procedures, list of authorized personnel that are involved in any facet of credit card operations. This documentation must be shared with employees and updated when changes occur. Detailed documentation is a critical component of compliance and an essential tool should a breach occur.

Maintaining Audit Trails and Logging

Units connecting to CIT's Central PCI-Compliant Network must do the following:

  • Perform a yearly inventory of all storage media, and keep a log documenting that inventory
  • Maintain a visitor log to keep a physical audit trail of visitor activity. The log must document the visitor's name, their affiliation, and the employee authorizing physical access. This log must be retained for a minimum of three months.
  • Keep automated audit trails for all system components, reconstructing the following events:
    • All individual accesses to cardholder data
    • All actions taken by any individual with root or administrative privileges
    • Access to all audit trails
    • Invalid logical access attempts
    • Use of identification and authentication mechanisms
    • Initialization of the audit logs 
    • Creation and deletion of system-level objects
  • Record the following audit trail entries for all system components for each audit event:
    • Identity or name of affected data, system component, or resource
    • Origination of event
    • Success or failure indication
    • Date and time
    • Type of event
    • User identification
  • Synchronize all system clocks and times are synchronized
  • Secure audit trails so they cannot be altered without proper authorization, and limit access to audit trails only to those with a job-related need to access them
  • Write and back up audit logs to centralized log servers or media
  • Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (though new data being added to the log will not cause an alert)
  • Review all logs at least daily, including logs for all components of the PCI infrastructure
  • Retain audit trail histories for at least one year, with a minimum of three months immediately available for analysis

Monitoring and Testing the Network

System activity logs are critical in preventing, detecting, or minimizing the impact of a data comprise. Logs must be checked daily, at a minimum. Audit trail history must be retained for one year, with a strong recommendation that the most current quarter be readily available in the event of a compromise.

Office of the Treasurer

395 Pine Tree Road, Suite 330
Ithaca, NY 14850

CONTACT US

Email:  treasurer@cornell.edu
Phone: (607) 254-1590
Hours: 8:00 a.m. - 5:00 p.m., Monday - Friday

 

  • Site Feedback
  • CUInfo
  • Executive Vice President and CFO
  • University Audit Office
  • Office of University Investments
  • Division of Budget and Planning
  • Risk Management and Insurance
  • Alliance for Diversity and Inclusion
  • Cornell United Way
  • Campus Alerts

©2020 Cornell University

Web Accessibility Assistance