Re: PCI Processing Practices

[Joel Rosenblatt <joel () COLUMBIA EDU>]

Hi,

Our policy

<http://policylibrary.columbia.edu/ecommerce-electronic-protection-credit-card-holder-information-policy>

states that all PCI transactions must be outsourced, however that does not get you off the hook for PCI compliance if your University owns the MIDs for the 
accounts or acts as agents (enters the CC number for others - i.e. Mail order/Telephone order (MO/TO) transactions.

Thanks,
Joel

--On Friday, September 30, 2011 6:41 PM +0000 "Paula E. Johnson" <pejohns () UARK EDU> wrote:

> We are reviewing our campus PCI processing practices and are curious how many of you have decided to do your own credit 
> card processing and how may have
> decided to totally outsource this sort of transaction.  Can you please respond with whether you satisfy your PCI needs 
> internally, outsourced, or a
> combination. Thanks in advance for your help.
>
> Paula E. Johnson
> Fiscal Support Supervisor
> IT Services
> University of Arkansas
> Fayetteville, AR 72701
> 479-575-5870



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3