RE: PCI-DSS and MSPs?

["Steve Freeman" <freema2 () bellsouth net>]

I work for a provider that is PCI compliant. We have two separate
environments; one PCI compliant where all businesses hosted in that
environment are audited by PCI standards, the other environment contains
those businesses hosted that do not have the PCI requirement. You cannot
have business that require PCI compliant environments in an environment that
does not meet these requirements, but you can host a business that does not
require the PCI standards to be applied hosted in an environment that is PCI
compliant. 



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Sheldon Alman
Sent: Wednesday, December 17, 2008 1:46 PM
To: security-basics () securityfocus com
Subject: PCI-DSS and MSPs?

Hello,

I work for a Managed Service Provider who provides service to businesses
who are required to be PCI compliant as well as businesses who are not.

It is to my understanding that as an MSP we are required to be PCI
compliant.

Does this mean that we have to follow PCI compliance
procedures/practices with both our PCI and non-PCI customers?  Or do we
only have to adhere to PCI standards when dealing with those customers
who are required to be PCI compliant?

Thanks,