Home page logo

educause logo Educause Security Discussion mailing list archives

Re: PCI Compliance
From: "Penn, Blake" <pennb () UWW EDU>
Date: Fri, 23 Mar 2007 10:07:50 -0500

True, you can limit your PCI DSS non-compliance risk contractually by
"passing the buck" to the vendor if they are comfortable with signing such
contracts.  However, even if you are hosting "compliant" applications, there
are many variables for which you are going to be responsible for maintaining
compliance.  Think of system configuration, for example.  A vendor may
attest to the compliance of their product, but no vendor in their right mind
is going to sign a contract whereby they accept financial responsibility for
non-compliance in the case of system that is configured in manner by which
it is rendered non-compliant.  An exception to this might be truly
"turn-key" solutions that involve no interaction from the customer.  Most
solutions, however, are going to allow some level of administration,
configuration, etc. from the customer as well as the vendor.  It is going to
be the customer's responsibility to administer, configure and maintain such
systems so that they are in compliance with the standards.

And true, banks are passing the buck contractually as much as they can.
However, most banks of any significant size also have massive internal
compliance programs for PCI DSS and other infosec-related regulations (SOX,
GLBA, etc.).  I personally know from former infosec colleagues at a large
bank that I used to work for that their current PCI DSS compliance efforts
are being tackled on a massively enterprise scale both technically and
procedurally and not just solely through contractual risk mitigation.

Blake Penn, CISSP
Information Security Officer
University of Wisconsin-Whitewater
(p) 262-472-7792 (f) 262-472-1285
pennb () uww edu | http://www.uww.edu/security

-----Original Message-----
From: Roger Safian [mailto:r-safian () NORTHWESTERN EDU]
Sent: Friday, March 23, 2007 8:42 AM
Subject: Re: [SECURITY] PCI Compliance

At 08:23 AM 3/23/2007, Kees Leune put fingers to keyboard and wrote:

On Thu, Mar 22, 2007 at 01:38:29PM -0400, Theresa M Rowe wrote:
Has anyone had success with achieving compliance to the PCI standard?

We've hit some confusion here.  If we:

* license software that takes credit card payment over the web
* and the web servers are located on our campus

Aren't we obligated to make sure that the software is "PCI compliant"
from the

All organizations that handle credit card payments in any form (store,
forward, accept, etc.) are required to ensure that they, but also all their
vendors (the entire chain) are PCI compliant.

So, technically, even if your entire organization is secure, but you use
pci-compliant software to process credit card payments, you are in
of the standard.

Here's my understanding, IANAL.  PCI requires that you use products and
that are PCI compliant.  If you use software, you need to ask the vendor if
are PCI compliant.  You also need to ensure that the contract they sigh
they are compliant.  Beyond that, you have to do nothing.  If the vendor is
wrong about their compliance, then they have legal issues because of the
contract and you should be able to pass the buck.  Basically that's what
the banks are doing.

Roger A. Safian
r-safian () northwestern edu (email) public key available on many key servers.
(847) 491-4058   (voice)
(847) 467-6500   (Fax) "You're never too old to have a great childhood!"

Attachment: smime.p7s

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]