Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: PCI Compliance for external e-commerce vendors
From: Theresa M Rowe <rowe () OAKLAND EDU>
Date: Tue, 13 Feb 2007 08:10:32 -0500

Agree with the other post - ask for their certificate of compliance, or check them out on the Visa web site -

http://usa.visa.com/download/merchants/cisp_list_of_cisp_compliant_service_providers.pdf

Some vendors will just say they are on the list, and they don't have an actual certificate.  This list shows the List 
of Compliant Service Providers, and from that you can confirm that a firm is compliant.  TouchNet, for example, with 
its strong presence in higher ed is on this list.

We also write into our contracts that the vendor will provide a statement or certificate of compliance on request, or 
periodically (annually) to our risk management area, and that the vendor will maintain compliance for the life of the 
contract.



---- Original message ----
Date: Mon, 12 Feb 2007 15:03:20 -0800
From: Kim Cary <Kim.Cary () PEPPERDINE EDU>
Subject: [SECURITY] PCI Compliance for external e-commerce vendors
To: SECURITY () LISTSERV EDUCAUSE EDU

Hi folks,

I'm trying to settle what we should do for PCI compliance with big
external e-commerce vendors, e.g. Verisign.

PCI compliance scanning:
Do you scan their site (as you would an internal one)? Seems like a
violation of their terms.
Do you scan the page you use to link to them (the one with NO CC
inputs)?

PCI compliance documentation:
Are you certifying PCI compliance for the external e-commerce vendor
if the only thing you are getting back from them is the masked CCN &
a transaction ID?

Kim Cary, Ed. D.
Infrastructure Security Administrator
M-F 7-4 ~ 310 506 6655
Theresa Rowe
Assistant Vice President
University Technology Services
www.oakland.edu/uts - the latest news from University Technology Services

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault