Educause Security Discussion mailing list archives
Re: PCI - Third party vendors
From: "Kobezak, Philip" <pkobezak () VT EDU>
Date: Thu, 24 Jul 2014 17:22:17 -0400
As others have said, definitely talk with your QSA. Here at Virginia Tech, we have relied on agreements with third parties on our network. When they request and pay for network (Internet) access, the terms specifically state the university has no responsibility for their PCI compliance. I.e. they are getting a commodity Internet connection. Make them agree to the terms before they are given network access. If they setup a firewall / VPN that’s their business and you should maintain zero knowledge of it. Otherwise, you may be seen as a PCI service provider. Philip Kobezak From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Christopher Jones Sent: Thursday, July 24, 2014 5:07 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI - Third party vendors I agree with Roger. Your QSA will be able to provide guidance on this. As I understand the PCI requirements, any cardholder data transiting the network puts it in scope. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Roger A Safian Sent: Thursday, July 24, 2014 2:02 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI - Third party vendors I think you want to discuss this with your QSA, but, my read, is this brings your network into scope for PCI. My assumption is you don’t want this to happen. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Drake, Craig Sent: Thursday, July 24, 2014 3:30 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] PCI - Third party vendors We have a new coffee shop going into our library. They are completely run by an external entity not associated with the university. They want to connect their terminals to our university network (possibly wireless) to transmit their credit card transactions. What do we need to be concerned with in terms of PCI compliance with them running this through our networks? Thank you, -Craig Craig Drake University Technology Services Northeastern Illinois University 5500 North St. Louis Avenue, Chicago, IL 60625 Phone: (773) 442-4386 Email: C-Drake () neiu edu<mailto:C-Drake () neiu edu> www.neiu.edu<http://www.neiu.edu> [cid:image001.jpg@01CFA763.D19382A0]
Current thread:
- PCI - Third party vendors Drake, Craig (Jul 24)
- Re: PCI - Third party vendors Brad Judy (Jul 24)
- Re: PCI - Third party vendors Hendra Hendrawan (Jul 24)
- Re: PCI - Third party vendors Mike Chapple (Jul 24)
- Re: PCI - Third party vendors Roger A Safian (Jul 24)
- Re: PCI - Third party vendors Christopher Jones (Jul 24)
- Re: PCI - Third party vendors Kobezak, Philip (Jul 24)
- Re: PCI - Third party vendors T. Shayne Ghere (Jul 24)
- Re: PCI - Third party vendors Shamblin, Quinn (Jul 25)
- Re: PCI - Third party vendors Bruce Curtis (Jul 29)
- Re: PCI - Third party vendors Christopher Jones (Jul 24)
- Re: PCI - Third party vendors Brad Judy (Jul 24)
- Re: PCI - Third party vendors Mike Cunningham (Jul 25)
- Re: PCI - Third party vendors Blake Penn (Jul 25)
- Re: PCI - Third party vendors Mike Chapple (Jul 25)
- Re: PCI - Third party vendors Oscar Knight (Jul 25)
- Re: PCI - Third party vendors Theresa Semmens (Jul 25)
- Re: PCI - Third party vendors Joel L. Rosenblatt (Jul 25)