Educause Security Discussion mailing list archives
Re: PCI Compliance
From: "Penn, Blake" <pennb () UWW EDU>
Date: Thu, 22 Mar 2007 13:00:09 -0500
We ask our vendors to supply documentation that addresses the applicable PCI DSS requirements (particularly the requirement 6 section) with the philosophy that if it is in our environment, then we are responsible for compliance whether we developed it or not. You will probably have better chances with this when your vendor also offers hosting of these applications (because they also have a big stake in compliance in such cases). We have had success in getting good documentation from TouchNet, for example, who offer both a COTS and hosted service version of their product suites. We have built our payment system from the ground up to be PCI DSS 1.0 compliant and will be "upgrading" this compliance to 1.1 over the early summer. Remediating existing systems to full compliance is a different beast altogether - fortunately the "compensating controls" appendix in version 1.1 might make this a little more achievable as it gives you a little more wiggle room. ___________________________________________ Blake Penn, CISSP Information Security Officer University of Wisconsin-Whitewater (p) 262-472-7792 (f) 262-472-1285 pennb () uww edu | http://www.uww.edu/security -----Original Message----- From: Theresa M Rowe [mailto:rowe () OAKLAND EDU] Sent: Thursday, March 22, 2007 12:38 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI Compliance Has anyone had success with achieving compliance to the PCI standard? We've hit some confusion here. If we: * license software that takes credit card payment over the web * and the web servers are located on our campus Aren't we obligated to make sure that the software is "PCI compliant" from the vendor? Theresa Theresa Rowe Assistant Vice President University Technology Services www.oakland.edu/uts - the latest news from University Technology Services
Attachment:
smime.p7s
Description:
Current thread:
- PCI Compliance Theresa M Rowe (Mar 22)
- <Possible follow-ups>
- Re: PCI Compliance Penn, Blake (Mar 22)
- Re: PCI Compliance Kees Leune (Mar 23)
- Re: PCI Compliance Roger Safian (Mar 23)
- Re: PCI Compliance Lovaas,Steven (Mar 23)
- Re: PCI Compliance Penn, Blake (Mar 23)
- Re: PCI Compliance Bill Ogle (Mar 23)