Educause Security Discussion mailing list archives

Re: PCI - Third party vendors

From: Brad Judy <brad.judy () CU EDU>
Date: Thu, 24 Jul 2014 20:50:08 +0000

If they hold the merchant account, and they are treating your network like the internet (untrusted, public network), 
then they are responsible for ensuring both their compliance and that their data is properly protected before reaching 
your network.

However, if they are not treating your network like the public internet, then you could be considered a PCI service 
provider to them and you would need an agreement about who handles what aspects of security and would have to figure 
out your side of PCI compliance.

These arrangements can be fairly simple if you are just their ISP and not managing their internal networking.  They 
would typically have their own switch and SOHO type firewall to segment themselves from your network, only sending out 
the encrypted connection to the payment gateway/processor.  If you had a big chain coming on site, they would likely 
have done this approach before.

That said, a local coffee shop might not understand PCI-DSS and might not have a plan like that.

Brad Judy

Director of UIS Security
University Information Systems
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu

[cid:8B31C7DD-0324-46B9-83BC-2307D4D96284]


From: <Drake>, Craig <c-drake () NEIU EDU<mailto:c-drake () NEIU EDU>>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Date: Thursday, July 24, 2014 2:30 PM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] PCI - Third party vendors

We have a new coffee shop going into our library.  They are completely run by an external entity not associated with 
the university.  They want to connect their terminals to our university network (possibly wireless) to transmit their 
credit card transactions.  What do we need to be concerned with in terms of PCI compliance with them running this 
through our networks?

Thank you,
-Craig

Craig Drake

University Technology Services
Northeastern Illinois University
5500 North St. Louis Avenue, Chicago, IL 60625
Phone: (773) 442-4386
Email: C-Drake () neiu edu<mailto:C-Drake () neiu edu>

www.neiu.edu<http://www.neiu.edu>

[http://homepages.neiu.edu/~markdep/images/neiu_wordmark_color_email.png]

Current thread:

PCI - Third party vendors Drake, Craig (Jul 24)
- Re: PCI - Third party vendors Brad Judy (Jul 24)
  - Re: PCI - Third party vendors Hendra Hendrawan (Jul 24)
- Re: PCI - Third party vendors Mike Chapple (Jul 24)
- Re: PCI - Third party vendors Roger A Safian (Jul 24)
  - Re: PCI - Third party vendors Christopher Jones (Jul 24)
    - Re: PCI - Third party vendors Kobezak, Philip (Jul 24)
    - Re: PCI - Third party vendors T. Shayne Ghere (Jul 24)
    - Re: PCI - Third party vendors Shamblin, Quinn (Jul 25)
    - Re: PCI - Third party vendors Bruce Curtis (Jul 29)
- Re: PCI - Third party vendors Blake Penn (Jul 25)
  - Re: PCI - Third party vendors Mike Cunningham (Jul 25)

(Thread continues...)