Educause Security Discussion mailing list archives

Re: PCI- DSS Scope ?

From: Jason Testart <jatestart () UWATERLOO CA>
Date: Fri, 12 Jun 2009 12:40:50 -0400

Bill Badertscher wrote:


Is it correct to conclude that a university identification card becomes
a financial transaction card when an ISO compliant primary account
number is encoded on track 2 by the university to facilitate financial
transactions? Further, do university systems become part of "merchant"
systems by virtue of storing account numbers?

It is not clear to me that outsourcing to a third party for payment
processing exempts a university from PCI-DSS compliance.

I'd be interested in university related case law that addresses the issue.

Many thanks.


Depends who issued the PAN that is encoded into the university
identification card.  Is this a credit card number?

Current thread:

PCI- DSS Scope ? Bill Badertscher (Jun 12)
- <Possible follow-ups>
- Re: PCI- DSS Scope ? Jason Testart (Jun 12)
- Re: PCI- DSS Scope ? Ken Rowe (Jun 12)
- Re: PCI- DSS Scope ? Megan Carney (Jun 15)
- Re: PCI- DSS Scope ? Michael Johnson (Jun 15)
- Re: PCI- DSS Scope ? Allison Dolan (Jun 15)