Re: PCI - Third party vendors

[Christopher Jones <Christopher.Jones () UFV CA>]

I agree with Roger.  Your QSA will be able to provide guidance on this.  As I understand the PCI requirements, any 
cardholder data transiting the network puts it in scope.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Roger A 
Safian
Sent: Thursday, July 24, 2014 2:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI - Third party vendors

I think you want to discuss this with your QSA, but, my read, is this brings your network into scope for PCI.  My 
assumption is you don’t want this to happen.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Drake, 
Craig
Sent: Thursday, July 24, 2014 3:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] PCI - Third party vendors

We have a new coffee shop going into our library.  They are completely run by an external entity not associated with 
the university.  They want to connect their terminals to our university network (possibly wireless) to transmit their 
credit card transactions.  What do we need to be concerned with in terms of PCI compliance with them running this 
through our networks?

Thank you,
-Craig

Craig Drake

University Technology Services
Northeastern Illinois University
5500 North St. Louis Avenue, Chicago, IL 60625
Phone: (773) 442-4386
Email: C-Drake () neiu edu<mailto:C-Drake () neiu edu>

www.neiu.edu<http://www.neiu.edu>

[http://homepages.neiu.edu/~markdep/images/neiu_wordmark_color_email.png]