Home page logo
/
educause logo
Educause Security Discussion Mailing List

Securing networks and computers in an academic environment.

List Archives

Jan–MarApr–JunJul–SepOct–Dec
201428430062
2013442329240262
2012674408280247
2011428358478392
2010825660728388
2009759751657702
2008596624430484
2007446520301516
2006536473507498
2005409416431349
2004495359552336
2003147163405234
200248755

Latest Posts

Re: PCI - Third party vendors Aube, Jane M. (Jul 25)
Blake,

I would agree with your conclusion. Our QSA firm has provided us with the same information as you imparted below (and
for those wondering, it is not TrustWave). It seems with V3.0 the significance of the Merchant Account holder may not
be the determining factor and more emphasis seems to be put on the components and services that could impact cardholder
data.

It will be interesting to see how different QSA firms interpret Third...

Re: PCI - Third party vendors Robert Lau (Jul 25)
When there is a breach… in addition to the negative publicity, you will lose the trust of your students, faculty and
staff because as Peter said, they bought their coffee at your university. Granted, our customers are more captive than
Target’s, but the blowback is just as painful. They will ask questions like “You knew that vendor wasn’t safe but yet
you still let us buy from them?” Deflection of responsibility, however legally...

Re: PCI - Third party vendors Blake Penn (Jul 25)
Mike,

I’m not sure that we actually disagree – when I say “compliance requirements” these are in the eyes of the PCI
Industrial Complex, not you or your lawyers, or my personal view, etc. – hence the “enforcement” blurb. Just letting
you guys know how the “system” views this issue.

Blake Penn CISSP, PCIP, MCSE, MCSD, MCDBA, QSA, ISMS Principal Auditor
Principal Consultant
t: 678.685.1277

Trustwave | SMART SECURITY ON...

Re: PCI - Third party vendors Peter Setlak (Jul 25)
Mike, good point. If you accept Visa or MC, at some point, you signed
something with someone that said you will (reasonably) comply no matter how
fine the print was.

It is always key to remember that the PCI-DSS standard extends beyond the
technology and into the land of paper... A great way for a merchant to
protect their customer's CHD is to use terminals that encrypt the data upon
swipe (or key entry) and transmits the data directly to...

Re: PCI - Third party vendors Blake Penn (Jul 25)
Mike,

General rule - Internet infrastructure itself gets a pass on the standard (that is, ISPs do not require mandatory
treatment as PCI DSS SPs) - at least so far. Probably due to the impractical nature of the alternative.

Again, talk with your QSA and/or acquirer for advice about your specific case, though.

Blake Penn CISSP, PCIP, MCSE, MCSD, MCDBA, QSA, ISMS Principal Auditor
Principal Consultant
t: 678.685.1277

Trustwave | SMART...

Re: PCI - Third party vendors David James Anderson (Jul 25)
Agreement with the legal waters bit. I’ll still add what we found in our experience so far with PCI compliance so far
in conjunction with our QSA.

We have similar operations going on with a third party operating foodservice venues within our campus buildings and
network. For our compliance status, it came down to who owned the merchant IDs. In essence, our goal is to be able to
accurately and truthfully fill out SAQ’s for all of the...

Re: PCI - Third party vendors Emery Rudolph (Jul 25)
No matter how many entities are involved in the chain of process that makes up your PCI transactional flow, there are
really only two:

1) The customer

2) You as their vendor.

It doesn’t matter how many subcontractors there are in the mix, you are ultimately responsible for securing “your”
customers data and thus you bear the responsibility for vetting proper PCI compliance from your vendor on down the line.

You will not...

Re: PCI - Third party vendors Brad Judy (Jul 25)
PCI-DSS is a contractual arrangement from the card brands via banks to merchants. If you are not in that contractual
loop, how is there a compliance requirement?

Brad Judy

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Blake
Penn
Sent: Friday, July 25, 2014 8:54 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI - Third party vendors

Craig,

The fact that they...

Re: PCI - Third party vendors Mike Chapple (Jul 25)
That's a very important point, Joel. No matter who is responsible from a
contractual perspective, it is the big-name institution that will be in the
newspaper headline.

Mike

Re: PCI - Third party vendors Joel L. Rosenblatt (Jul 25)
+1

The general rule is that if you don't own the MID, it's not your
problem - that doesn't mean that you may not get blowback in the way
of reputational damage, but the banks can't come after you.

IANAL

Joel

Joel Rosenblatt, Director Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key...

Re: PCI - Third party vendors Theresa Semmens (Jul 25)
I concur with Mike and Oscar. You are treading into legal waters - best to bring your lifejacket (general counsel)
when doing that.

Theresa

Theresa Semmens, CISA
NDSU Chief IT Security Officer
Office: 210D IACC
Mail: NDSU Dept 4500
PO Box 6050
Fargo, ND 58108-6050
P: 701-231-5870
F: 701-231-8541
E: Theresa.Semmens () ndsu edu
www.ndsu.edu/its/security

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [...

Re: PCI - Third party vendors Oscar Knight (Jul 25)
Exactly, "PCI DSS is a contractual obligation". I assume none
of us are lawyers, neither are QSAs. If there is a risk and
in particular a risk with respect to a contract then you
should contact university counsel.

Oscar

Re: PCI - Third party vendors Mike Chapple (Jul 25)
Blake,

Respectfully, I disagree with the conclusion that you've reached.

The important point is that PCI DSS is a contractual obligation, not a law.
The only way that you can become subject to a contractual obligation is to
voluntarily accept it by signing a contract. If it were true that "Any
entity that processes, stores, or transmits CHD must comply with the
standard," it would be forcing entities who are not a party to the...

Re: PCI - Third party vendors Mike Cunningham (Jul 25)
Blake, Your assessment of this makes me think that my campus ISP must also fall under the need to be compliant with all
PCI-DSS requirements, because our college accepts credit cards. As a merchant, when I do my PCI-DSS reporting to my
acquirer, should I be asking my ISP for their PCI-DSS compliance documentation?

Mike Cunningham
VP of Information Technology Services/CIO
Pennsylvania College of Technology

From: The EDUCAUSE Security...

Re: PCI - Third party vendors Blake Penn (Jul 25)
Craig,

The fact that they are an external entity does not obviate your PCI DSS compliance. Any entity that processes, stores,
or transmits CHD must comply with the standard. The nuance here is that you don’t have an associated MID (since they
are a third party) and therefore no associated acquirer relationship/contractual compliance obligations. This changes
your *enforcement/validation* requirements (there are none) but not your actual...

More Lists

Dozens of other network security lists are archived at SecLists.Org.


[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]