Home page logo

educause logo Educause Security Discussion mailing list archives

Re: PCI Compliance
From: "Penn, Blake" <pennb () UWW EDU>
Date: Thu, 22 Mar 2007 13:00:09 -0500

We ask our vendors to supply documentation that addresses the applicable PCI
DSS requirements (particularly the requirement 6 section) with the
philosophy that if it is in our environment, then we are responsible for
compliance whether we developed it or not.  You will probably have better
chances with this when your vendor also offers hosting of these applications
(because they also have a big stake in compliance in such cases).  We have
had success in getting good documentation from TouchNet, for example, who
offer both a COTS and hosted service version of their product suites.

We have built our payment system from the ground up to be PCI DSS 1.0
compliant and will be "upgrading" this compliance to 1.1 over the early
summer.  Remediating existing systems to full compliance is a different
beast altogether - fortunately the "compensating controls" appendix in
version 1.1 might make this a little more achievable as it gives you a
little more wiggle room.

Blake Penn, CISSP
Information Security Officer
University of Wisconsin-Whitewater
(p) 262-472-7792 (f) 262-472-1285
pennb () uww edu | http://www.uww.edu/security

-----Original Message-----
From: Theresa M Rowe [mailto:rowe () OAKLAND EDU]
Sent: Thursday, March 22, 2007 12:38 PM
Subject: [SECURITY] PCI Compliance

Has anyone had success with achieving compliance to the PCI standard?

We've hit some confusion here.  If we:

* license software that takes credit card payment over the web
* and the web servers are located on our campus

Aren't we obligated to make sure that the software is "PCI compliant" from
the vendor?

Theresa Rowe
Assistant Vice President
University Technology Services
www.oakland.edu/uts - the latest news from University Technology Services

Attachment: smime.p7s

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]