Re: PCI Compliance for external e-commerce vendors

[Theresa M Rowe <rowe () OAKLAND EDU>]

Agree with the other post - ask for their certificate of compliance, or check them out on the Visa web site -

http://usa.visa.com/download/merchants/cisp_list_of_cisp_compliant_service_providers.pdf

Some vendors will just say they are on the list, and they don't have an actual certificate.  This list shows the List 
of Compliant Service Providers, and from that you can confirm that a firm is compliant.  TouchNet, for example, with 
its strong presence in higher ed is on this list.

We also write into our contracts that the vendor will provide a statement or certificate of compliance on request, or 
periodically (annually) to our risk management area, and that the vendor will maintain compliance for the life of the 
contract.



---- Original message ----
> Date: Mon, 12 Feb 2007 15:03:20 -0800
> From: Kim Cary <Kim.Cary () PEPPERDINE EDU>
> Subject: [SECURITY] PCI Compliance for external e-commerce vendors
> To: SECURITY () LISTSERV EDUCAUSE EDU
>
> Hi folks,
>
> I'm trying to settle what we should do for PCI compliance with big
> external e-commerce vendors, e.g. Verisign.
>
> PCI compliance scanning:
> Do you scan their site (as you would an internal one)? Seems like a
> violation of their terms.
> Do you scan the page you use to link to them (the one with NO CC
> inputs)?
>
> PCI compliance documentation:
> Are you certifying PCI compliance for the external e-commerce vendor
> if the only thing you are getting back from them is the masked CCN &
> a transaction ID?
>
> Kim Cary, Ed. D.
> Infrastructure Security Administrator
> M-F 7-4 ~ 310 506 6655
Theresa Rowe
Assistant Vice President
University Technology Services
www.oakland.edu/uts - the latest news from University Technology Services