Educause Security Discussion
mailing list archives
Re: PCI Compliance for external e-commerce vendors
From: Theresa M Rowe <rowe () OAKLAND EDU>
Date: Tue, 13 Feb 2007 08:10:32 -0500
Agree with the other post - ask for their certificate of compliance, or check them out on the Visa web site -
Some vendors will just say they are on the list, and they don't have an actual certificate. This list shows the List
of Compliant Service Providers, and from that you can confirm that a firm is compliant. TouchNet, for example, with
its strong presence in higher ed is on this list.
We also write into our contracts that the vendor will provide a statement or certificate of compliance on request, or
periodically (annually) to our risk management area, and that the vendor will maintain compliance for the life of the
---- Original message ----
Date: Mon, 12 Feb 2007 15:03:20 -0800
From: Kim Cary <Kim.Cary () PEPPERDINE EDU>
Subject: [SECURITY] PCI Compliance for external e-commerce vendors
To: SECURITY () LISTSERV EDUCAUSE EDU
I'm trying to settle what we should do for PCI compliance with big
external e-commerce vendors, e.g. Verisign.
PCI compliance scanning:
Do you scan their site (as you would an internal one)? Seems like a
violation of their terms.
Do you scan the page you use to link to them (the one with NO CC
PCI compliance documentation:
Are you certifying PCI compliance for the external e-commerce vendor
if the only thing you are getting back from them is the masked CCN &
a transaction ID?
Kim Cary, Ed. D.
Infrastructure Security Administrator
M-F 7-4 ~ 310 506 6655
Assistant Vice President
University Technology Services
www.oakland.edu/uts - the latest news from University Technology Services