Educause Security Discussion mailing list archives

Re: PCI Compliance

From: Kees Leune <C.J.Leune () UVT NL>
Date: Fri, 23 Mar 2007 14:23:36 +0100

Hello,

On Thu, Mar 22, 2007 at 01:38:29PM -0400, Theresa M Rowe wrote:

Has anyone had success with achieving compliance to the PCI standard?

We've hit some confusion here.  If we:

* license software that takes credit card payment over the web
* and the web servers are located on our campus

Aren't we obligated to make sure that the software is "PCI compliant" from the vendor?


All organizations that handle credit card payments in any form (store,
forward, accept, etc.) are required to ensure that they, but also all their
vendors (the entire chain) are PCI compliant.

So, technically, even if your entire organization is secure, but you use non
pci-compliant software to process credit card payments, you are in violation
of the standard.

Hope this helps,

Kees
--
Dr. Kees Leune
Tilburg University
Department of Information Systems and Management
Mobile: +31 (6) 5232 8887

Current thread:

PCI Compliance Theresa M Rowe (Mar 22)
- <Possible follow-ups>
- Re: PCI Compliance Penn, Blake (Mar 22)
- Re: PCI Compliance Kees Leune (Mar 23)
- Re: PCI Compliance Roger Safian (Mar 23)
- Re: PCI Compliance Lovaas,Steven (Mar 23)
- Re: PCI Compliance Penn, Blake (Mar 23)
- Re: PCI Compliance Bill Ogle (Mar 23)