Educause Security Discussion mailing list archives
Re: PCI Compliance for external e-commerce vendors
From: Theresa M Rowe <rowe () OAKLAND EDU>
Date: Tue, 13 Feb 2007 08:10:32 -0500
Agree with the other post - ask for their certificate of compliance, or check them out on the Visa web site - http://usa.visa.com/download/merchants/cisp_list_of_cisp_compliant_service_providers.pdf Some vendors will just say they are on the list, and they don't have an actual certificate. This list shows the List of Compliant Service Providers, and from that you can confirm that a firm is compliant. TouchNet, for example, with its strong presence in higher ed is on this list. We also write into our contracts that the vendor will provide a statement or certificate of compliance on request, or periodically (annually) to our risk management area, and that the vendor will maintain compliance for the life of the contract. ---- Original message ----
Date: Mon, 12 Feb 2007 15:03:20 -0800 From: Kim Cary <Kim.Cary () PEPPERDINE EDU> Subject: [SECURITY] PCI Compliance for external e-commerce vendors To: SECURITY () LISTSERV EDUCAUSE EDU Hi folks, I'm trying to settle what we should do for PCI compliance with big external e-commerce vendors, e.g. Verisign. PCI compliance scanning: Do you scan their site (as you would an internal one)? Seems like a violation of their terms. Do you scan the page you use to link to them (the one with NO CC inputs)? PCI compliance documentation: Are you certifying PCI compliance for the external e-commerce vendor if the only thing you are getting back from them is the masked CCN & a transaction ID? Kim Cary, Ed. D. Infrastructure Security Administrator M-F 7-4 ~ 310 506 6655
Theresa Rowe Assistant Vice President University Technology Services www.oakland.edu/uts - the latest news from University Technology Services
Current thread:
- PCI Compliance for external e-commerce vendors Kim Cary (Feb 12)
- <Possible follow-ups>
- Re: PCI Compliance for external e-commerce vendors j.price (Feb 12)
- Re: PCI Compliance for external e-commerce vendors Theresa M Rowe (Feb 13)