Educause Security Discussion mailing list archives
Re: PCI Compliance
From: Bill Ogle <info () COMPLYGUARDNETWORKS COM>
Date: Fri, 23 Mar 2007 10:50:13 -0500
This NOT a sales pitch. ComplyGuard Networks is a PCI Security Standards Council approved vendor. Please visit http://www.pcisecuritycouncil.org to obtain directly a copy of the specification. On the surface, the following is absolutely true: If you collect, store, or transmit card holder data you are subject to the PCI Data Security Standard. Permit me to unpack this. First: Getting your own house in order... Think for a moment all the places where credit cards might be used within the university: bookstore, food services, student fees, tuition, room and board, theater or sporting event box offices. You must be compliant in these areas as well as the network that carries the card holder data. A genuine concern should be if others could access the institution's network. For example the Rugby club sets up an on line location to sell tee-shirts and takes credit cards as a form of payment. The institution is at risk. In our practice we have seen MANY people segment their networks to lower the risk and liability. Its a task, but not an insurmountable one. Second: Getting your suppliers in order... The spec is very clear that service providers (like the internet service provider or hosting company) must also be compliant. There is a list of complaint service providers at http://usa.visa.com/merchants/risk_management/cisp.html. Also of note is the VISA's PABP review of software including shopping carts. PABP (Payment Association Best Practices) is becoming an important chain in the link of protecting card holder data. We recommend to all our clients that they use only PABP Approved software. Finally, the actual liability for compliance lands squarely on the merchant account owner. Most do not realize that someone in their organization signed personally for the merchant account AND when renewals come up, the agreements all state that the merchant account owner will abide by all security requirements of the card brands. When compromise happens, the forensics begins first with the merchant account owner and then moves outward. TJX announced their compromise this year and they as the merchant have a problem. Card Systems in Atlanta was a processor that was compromised and is now out of business. They however impacted thousands of merchants that needed to fins a new processor. These two examples should highlight everyone in the card chain can and will be held accountable. Again, begin by getting your own house in order. It is the cheapest insurance you can get, and no board of trustees will say no to budgets for PCI Compliance when the find out the real liability to not being compliant. As always, your questions are welcome -----Original Message----- From: Roger Safian [mailto:r-safian () NORTHWESTERN EDU] Sent: Friday, March 23, 2007 8:42 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI Compliance At 08:23 AM 3/23/2007, Kees Leune put fingers to keyboard and wrote:
Hello, On Thu, Mar 22, 2007 at 01:38:29PM -0400, Theresa M Rowe wrote:Has anyone had success with achieving compliance to the PCI standard? We've hit some confusion here. If we: * license software that takes credit card payment over the web * and the web servers are located on our campus Aren't we obligated to make sure that the software is "PCI compliant"
from the
vendor? All organizations that handle credit card payments in any form (store, forward, accept, etc.) are required to ensure that they, but also all their vendors (the entire chain) are PCI compliant. So, technically, even if your entire organization is secure, but you use
non
pci-compliant software to process credit card payments, you are in
violation
of the standard.
Here's my understanding, IANAL. PCI requires that you use products and services that are PCI compliant. If you use software, you need to ask the vendor if they are PCI compliant. You also need to ensure that the contract they sigh states they are compliant. Beyond that, you have to do nothing. If the vendor is wrong about their compliance, then they have legal issues because of the contract and you should be able to pass the buck. Basically that's what the banks are doing. -- Roger A. Safian r-safian () northwestern edu (email) public key available on many key servers. (847) 491-4058 (voice) (847) 467-6500 (Fax) "You're never too old to have a great childhood!"
Current thread:
- PCI Compliance Theresa M Rowe (Mar 22)
- <Possible follow-ups>
- Re: PCI Compliance Penn, Blake (Mar 22)
- Re: PCI Compliance Kees Leune (Mar 23)
- Re: PCI Compliance Roger Safian (Mar 23)
- Re: PCI Compliance Lovaas,Steven (Mar 23)
- Re: PCI Compliance Penn, Blake (Mar 23)
- Re: PCI Compliance Bill Ogle (Mar 23)