Educause Security Discussion mailing list archives
Re: PCI- DSS Scope ?
From: Megan Carney <carn0048 () UMN EDU>
Date: Mon, 15 Jun 2009 11:14:59 -0500
On Friday 12 June 2009 11:00:32 Bill Badertscher wrote:
Is it correct to conclude that a university identification card becomes a financial transaction card when an ISO compliant primary account number is encoded on track 2 by the university to facilitate financial transactions? Further, do university systems become part of "merchant" systems by virtue of storing account numbers?
PCI DSS only covers credit card numbers though it is always wise to use best practices when you're dealing with numbers that link to financial accounts. Ultimately, of course, management is one the who makes the call when it comes to what is an acceptable amount of risk for a specific service.
It is not clear to me that outsourcing to a third party for payment processing exempts a university from PCI-DSS compliance.
It doesn't exempt you from PCI-DSS compliance though it does change your burden. What has been said before on this list is essentially true, what matters is where the credit card numbers are entered and stored. If they never touch your systems, you just need to make sure your vendor is PCI compliant (though compliance doesn't necessarily indicate there's no risk).
I'd be interested in university related case law that addresses the issue. Many thanks.
-- Megan Carney Security Coordinator OIT Security and Assurance 612-625-3858 carn0048 () umn edu Merlin Mann's rules for sensible email: 1. Know why you're writing and what result you would like to see. 2. Make clear whether you are providing information, requesting information, or requesting action. 3. Write a great subject line. 4. Brevity is the soul. . .of getting a response. 5. Make clear what the next action is. 6. Keep messages and threads limited to one topic or project. www.43folders.com/2005/09/19/writing-sensible-email-messages
Current thread:
- PCI- DSS Scope ? Bill Badertscher (Jun 12)
- <Possible follow-ups>
- Re: PCI- DSS Scope ? Jason Testart (Jun 12)
- Re: PCI- DSS Scope ? Ken Rowe (Jun 12)
- Re: PCI- DSS Scope ? Megan Carney (Jun 15)
- Re: PCI- DSS Scope ? Michael Johnson (Jun 15)
- Re: PCI- DSS Scope ? Allison Dolan (Jun 15)