Educause Security Discussion mailing list archives
Re: PCI and banks that use Akamai
From: Michael Johnson <mjohnson () COMPLYGUARDNETWORKS COM>
Date: Mon, 14 Jun 2010 15:19:34 -0500
Acquiring banks must report on compliance of all their merchants to the card brands. There are specific reports and formats they have to work with. (Find them on the VISA and MasterCard web properties.) All of these operations will be concerned with the security of PII, a subset is PCI. All merchant account owners and service providers that collect store or transmit card holder data are subject to the PCI DSS. As to the relevance of Akamai... it really depends on implementation. It is only a piece of the PCI requirement for a merchant or service provider. A bigger challenge is the concept of "cloud computing" when someone impacted by PCI does not know where their data is and who has access to it. By definition this means PII too. Michael Johnson, QSA -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John Ladwig Sent: Monday, June 14, 2010 4:04 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI and banks that use Akamai I would assert that not all online banking applications need to be PCI compliant, as not all online banking environments would necessarily touch CHD (cardholder data). And retail online banking != commercial online banking != acquiring bank, at least not necessarily. And for the record, acquiring banks don't have to assure that their (level 4 at least - that's my current wheelhouse) merchants are compliant, that's the merchant's contractual obligation. So far as I can tell, to the acquiring bank, a noncompliant merchant is simply another fees-based revenue opportunity. Best to verify. -jml
"Daniel, Jack" <jdaniel () CONCORDANT COM> 2010-06-14 14:56 >>>
A lot of banks do "get it" and just about ALL larger banks have to be PCI compliant. It's not just the merchants but the service providers. The banks have to ensure their merchants are compliant as well as ensure that they are compliant as a service provider. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeffrey Schiller Sent: Monday, June 14, 2010 3:39 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI and banks that use Akamai -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/14/2010 03:33 PM, John Ladwig wrote:
Hm. No reason a bank *would* use a PCI service, regardless of how reasonable a thing that'd be from an infosec perspective. And I think step 1 would still be 'understand Akamai's PCI service offering and its relevance to the problem at hand," if it were cited by a bank.
We should also be a bit careful here. In general PCI is all about accepting credit cards as a form of payment. In particular PCI is focused on credit card merchants. It is not really oriented toward banks and generic banking transactions. I am not even sure that a bank has to *be* PCI compliant. I do not have any familiarity with Akamai's PCI service offerings, but I suspect it is a high performance payment system, probably not a generic "secure" platform. - From my experience, I would expect that some banks "get it" when it comes to IT security, and others do not. In particular I would be concerned about small credit unions. -Jeff - -- ======================================================================== Jeffrey I. Schiller MIT Network Manager/Security Architect PCI Compliance Officer Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room W92-190 Cambridge, MA 02139-4307 617.253.0161 - Voice jis () mit edu http://jis.qyv.name ======================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFMFoVG8CBzV/QUlSsRAm8nAKC6Zi2t8DyJePWHksPazbM/KmgDlwCgjGUN sZFi+albvWaooDxdJvDt/LA= =+ayn -----END PGP SIGNATURE-----
Current thread:
- Re: PCI and banks that use Akamai, (continued)
- Re: PCI and banks that use Akamai Valdis Kletnieks (Jun 14)
- Re: PCI and banks that use Akamai Jeffrey Schiller (Jun 14)
- Re: PCI and banks that use Akamai John Ladwig (Jun 14)
- Re: PCI and banks that use Akamai Daniel, Jack (Jun 14)
- Re: PCI and banks that use Akamai Jeffrey Schiller (Jun 14)
- Re: PCI and banks that use Akamai Daniel, Jack (Jun 14)
- Re: PCI and banks that use Akamai John Ladwig (Jun 14)
- Re: PCI and banks that use Akamai Jeffrey Schiller (Jun 14)
- Re: PCI and banks that use Akamai Daniel, Jack (Jun 14)
- Re: PCI and banks that use Akamai John Ladwig (Jun 14)
- Re: PCI and banks that use Akamai Michael Johnson (Jun 14)
- Re: PCI and banks that use Akamai Jeffrey Schiller (Jun 14)
- Re: PCI and banks that use Akamai Valdis Kletnieks (Jun 14)
- Re: PCI and banks that use Akamai Joel Rosenblatt (Jun 14)