mailing list archives
PCI Compliance required if outsourcing?
From: "Eggleston, Mark" <meggleston () healthpart com>
Date: Tue, 10 Jun 2008 16:28:35 -0400
Hello PCI experts,
I've seen a lot of info re: PCI on this listserve and was wondering if
someone can help me. If a company chooses to outsource PCI compliance
to a vendor, what are the PCI regulation requirements? Specifically, if
a company uses a vendor/outsources for card payment processing what are
the compliance ramifications? From what I can tell section 12 applies:
"If cardholder data is shared with service providers, then contractually
the following is required:
12.8.1 Service providers must adhere to the PCI DSS requirements
12.8.2 Agreement that includes an acknowledgement that the service
provider is responsible for
the security of cardholder data the provider possesses."
Anything else here to be concerned with?
Manager, Security and Business Continuity
All the information contained in this electronic communication and
any attachments is intended only for the use of the individual or
entity to which it is addressed. If you are not the intended
recipient, you are hereby notified that you should not disseminate,
distribute or copy any portion of this electronic communication. If
you have received this message in error, please notify the sender
by replying to this email and immediately deleting any and all
copies you may have inadvertently made.
- PCI Compliance required if outsourcing? Eggleston, Mark (Jun 11)