Home page logo

basics logo Security Basics mailing list archives

PCI Compliance required if outsourcing?
From: "Eggleston, Mark" <meggleston () healthpart com>
Date: Tue, 10 Jun 2008 16:28:35 -0400

Hello PCI experts,

I've seen a lot of info re: PCI on this listserve and was wondering if
someone can help me.  If a company chooses to outsource PCI compliance
to a vendor, what are the PCI regulation requirements?  Specifically, if
a company uses a vendor/outsources for card payment processing what are
the compliance ramifications?  From what I can tell section 12 applies:

"If cardholder data is shared with service providers, then contractually
the following is required:
12.8.1 Service providers must adhere to the PCI DSS requirements
12.8.2 Agreement that includes an acknowledgement that the service
provider is responsible for
the security of cardholder data the provider possesses."

Anything else here to be concerned with?


Mark Eggleston
Manager, Security and Business Continuity
Information Services
(215) 991-4388
All the information contained in this electronic communication and
any attachments is intended only for the use of the individual or
entity to which it is addressed. If you are not the intended
recipient, you are hereby notified that you should not disseminate,
distribute or copy any portion of this electronic communication. If
you have received this message in error, please notify the sender
by replying to this email and immediately deleting any and all
copies you may have inadvertently made.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]