Re: PCI Compliance

["Penn, Blake" <pennb () UWW EDU>]

We ask our vendors to supply documentation that addresses the applicable PCI
DSS requirements (particularly the requirement 6 section) with the
philosophy that if it is in our environment, then we are responsible for
compliance whether we developed it or not.  You will probably have better
chances with this when your vendor also offers hosting of these applications
(because they also have a big stake in compliance in such cases).  We have
had success in getting good documentation from TouchNet, for example, who
offer both a COTS and hosted service version of their product suites.

We have built our payment system from the ground up to be PCI DSS 1.0
compliant and will be "upgrading" this compliance to 1.1 over the early
summer.  Remediating existing systems to full compliance is a different
beast altogether - fortunately the "compensating controls" appendix in
version 1.1 might make this a little more achievable as it gives you a
little more wiggle room.

___________________________________________
Blake Penn, CISSP
Information Security Officer
University of Wisconsin-Whitewater
(p) 262-472-7792 (f) 262-472-1285
pennb () uww edu | http://www.uww.edu/security


-----Original Message-----
From: Theresa M Rowe [mailto:rowe () OAKLAND EDU]
Sent: Thursday, March 22, 2007 12:38 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI Compliance

Has anyone had success with achieving compliance to the PCI standard?

We've hit some confusion here.  If we:

* license software that takes credit card payment over the web
* and the web servers are located on our campus

Aren't we obligated to make sure that the software is "PCI compliant" from
the vendor?


Theresa
Theresa Rowe
Assistant Vice President
University Technology Services
www.oakland.edu/uts - the latest news from University Technology Services

Attachment: smime.p7s
Description: