Home page logo
educause logo
Educause Security Discussion Mailing List

Securing networks and computers in an academic environment.

List Archives


Latest Posts

Re: PCI - Third party vendors Aube, Jane M. (Jul 25)

I would agree with your conclusion. Our QSA firm has provided us with the same information as you imparted below (and
for those wondering, it is not TrustWave). It seems with V3.0 the significance of the Merchant Account holder may not
be the determining factor and more emphasis seems to be put on the components and services that could impact cardholder

It will be interesting to see how different QSA firms interpret Third...

Re: PCI - Third party vendors Robert Lau (Jul 25)
When there is a breach… in addition to the negative publicity, you will lose the trust of your students, faculty and
staff because as Peter said, they bought their coffee at your university. Granted, our customers are more captive than
Target’s, but the blowback is just as painful. They will ask questions like “You knew that vendor wasn’t safe but yet
you still let us buy from them?” Deflection of responsibility, however legally...

Re: PCI - Third party vendors Blake Penn (Jul 25)

I’m not sure that we actually disagree – when I say “compliance requirements” these are in the eyes of the PCI
Industrial Complex, not you or your lawyers, or my personal view, etc. – hence the “enforcement” blurb. Just letting
you guys know how the “system” views this issue.

Blake Penn CISSP, PCIP, MCSE, MCSD, MCDBA, QSA, ISMS Principal Auditor
Principal Consultant
t: 678.685.1277

Trustwave | SMART SECURITY ON...

Re: PCI - Third party vendors Peter Setlak (Jul 25)
Mike, good point. If you accept Visa or MC, at some point, you signed
something with someone that said you will (reasonably) comply no matter how
fine the print was.

It is always key to remember that the PCI-DSS standard extends beyond the
technology and into the land of paper... A great way for a merchant to
protect their customer's CHD is to use terminals that encrypt the data upon
swipe (or key entry) and transmits the data directly to...

Re: PCI - Third party vendors Blake Penn (Jul 25)

General rule - Internet infrastructure itself gets a pass on the standard (that is, ISPs do not require mandatory
treatment as PCI DSS SPs) - at least so far. Probably due to the impractical nature of the alternative.

Again, talk with your QSA and/or acquirer for advice about your specific case, though.

Blake Penn CISSP, PCIP, MCSE, MCSD, MCDBA, QSA, ISMS Principal Auditor
Principal Consultant
t: 678.685.1277

Trustwave | SMART...

Re: PCI - Third party vendors David James Anderson (Jul 25)
Agreement with the legal waters bit. I’ll still add what we found in our experience so far with PCI compliance so far
in conjunction with our QSA.

We have similar operations going on with a third party operating foodservice venues within our campus buildings and
network. For our compliance status, it came down to who owned the merchant IDs. In essence, our goal is to be able to
accurately and truthfully fill out SAQ’s for all of the...

Re: PCI - Third party vendors Emery Rudolph (Jul 25)
No matter how many entities are involved in the chain of process that makes up your PCI transactional flow, there are
really only two:

1) The customer

2) You as their vendor.

It doesn’t matter how many subcontractors there are in the mix, you are ultimately responsible for securing “your”
customers data and thus you bear the responsibility for vetting proper PCI compliance from your vendor on down the line.

You will not...

Re: PCI - Third party vendors Brad Judy (Jul 25)
PCI-DSS is a contractual arrangement from the card brands via banks to merchants. If you are not in that contractual
loop, how is there a compliance requirement?

Brad Judy

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Blake
Sent: Friday, July 25, 2014 8:54 AM
Subject: Re: [SECURITY] PCI - Third party vendors


The fact that they...

Re: PCI - Third party vendors Mike Chapple (Jul 25)
That's a very important point, Joel. No matter who is responsible from a
contractual perspective, it is the big-name institution that will be in the
newspaper headline.


Re: PCI - Third party vendors Joel L. Rosenblatt (Jul 25)

The general rule is that if you don't own the MID, it's not your
problem - that doesn't mean that you may not get blowback in the way
of reputational damage, but the banks can't come after you.



Joel Rosenblatt, Director Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
Public PGP key...

Re: PCI - Third party vendors Theresa Semmens (Jul 25)
I concur with Mike and Oscar. You are treading into legal waters - best to bring your lifejacket (general counsel)
when doing that.


Theresa Semmens, CISA
NDSU Chief IT Security Officer
Office: 210D IACC
Mail: NDSU Dept 4500
PO Box 6050
Fargo, ND 58108-6050
P: 701-231-5870
F: 701-231-8541
E: Theresa.Semmens () ndsu edu

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [...

Re: PCI - Third party vendors Oscar Knight (Jul 25)
Exactly, "PCI DSS is a contractual obligation". I assume none
of us are lawyers, neither are QSAs. If there is a risk and
in particular a risk with respect to a contract then you
should contact university counsel.


Re: PCI - Third party vendors Mike Chapple (Jul 25)

Respectfully, I disagree with the conclusion that you've reached.

The important point is that PCI DSS is a contractual obligation, not a law.
The only way that you can become subject to a contractual obligation is to
voluntarily accept it by signing a contract. If it were true that "Any
entity that processes, stores, or transmits CHD must comply with the
standard," it would be forcing entities who are not a party to the...

Re: PCI - Third party vendors Mike Cunningham (Jul 25)
Blake, Your assessment of this makes me think that my campus ISP must also fall under the need to be compliant with all
PCI-DSS requirements, because our college accepts credit cards. As a merchant, when I do my PCI-DSS reporting to my
acquirer, should I be asking my ISP for their PCI-DSS compliance documentation?

Mike Cunningham
VP of Information Technology Services/CIO
Pennsylvania College of Technology

From: The EDUCAUSE Security...

Re: PCI - Third party vendors Blake Penn (Jul 25)

The fact that they are an external entity does not obviate your PCI DSS compliance. Any entity that processes, stores,
or transmits CHD must comply with the standard. The nuance here is that you don’t have an associated MID (since they
are a third party) and therefore no associated acquirer relationship/contractual compliance obligations. This changes
your *enforcement/validation* requirements (there are none) but not your actual...

More Lists

Dozens of other network security lists are archived at SecLists.Org.

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]