Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: PCI Compliance for external e-commerce vendors
From: "j.price" <j.price () DOMAIL MARICOPA EDU>
Date: Mon, 12 Feb 2007 16:13:10 -0700

Kim,

When you are using a third party vendor,  you request verification from
them that they are PCI compliant. We request that of our vendors and
make sure there is language in our contract that states who is
responsible if there is a breach.

Janet

Kim Cary wrote:

Hi folks,

I'm trying to settle what we should do for PCI compliance with big
external e-commerce vendors, e.g. Verisign.

PCI compliance scanning:
Do you scan their site (as you would an internal one)? Seems like a
violation of their terms.
Do you scan the page you use to link to them (the one with NO CC
inputs)?

PCI compliance documentation:
Are you certifying PCI compliance for the external e-commerce vendor
if the only thing you are getting back from them is the masked CCN &
a transaction ID?

Kim Cary, Ed. D.
Infrastructure Security Administrator
M-F 7-4 ~ 310 506 6655


--
Janet Price
Maricopa Online
Student Self Services
2411 W 14th St
Tempe Arizona, 85281
(480)731-8730

100 years from now, it will not matter what my bank account was, how big my house was, or what kind of car I drove. But 
the world may be a little better, because I was important, in the life of a child.
-Forest Witcraft

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]