Re: PCI Compliance

[Roger Safian <r-safian () NORTHWESTERN EDU>]

At 08:23 AM 3/23/2007, Kees Leune put fingers to keyboard and wrote:
> Hello,
>
> On Thu, Mar 22, 2007 at 01:38:29PM -0400, Theresa M Rowe wrote:
> > Has anyone had success with achieving compliance to the PCI standard?
> >
> > We've hit some confusion here.  If we:
> >
> > * license software that takes credit card payment over the web
> > * and the web servers are located on our campus
> >
> > Aren't we obligated to make sure that the software is "PCI compliant" from the
> vendor?
>
> All organizations that handle credit card payments in any form (store,
> forward, accept, etc.) are required to ensure that they, but also all their
> vendors (the entire chain) are PCI compliant.
>
> So, technically, even if your entire organization is secure, but you use non
> pci-compliant software to process credit card payments, you are in violation
> of the standard.

Here's my understanding, IANAL.  PCI requires that you use products and services
that are PCI compliant.  If you use software, you need to ask the vendor if they
are PCI compliant.  You also need to ensure that the contract they sigh states
they are compliant.  Beyond that, you have to do nothing.  If the vendor is
wrong about their compliance, then they have legal issues because of the
contract and you should be able to pass the buck.  Basically that's what
the banks are doing.


--
Roger A. Safian
r-safian () northwestern edu (email) public key available on many key servers.
(847) 491-4058   (voice)
(847) 467-6500   (Fax) "You're never too old to have a great childhood!"