Educause Security Discussion mailing list archives

PCI- DSS Scope ?

From: Bill Badertscher <wdc8 () GEORGETOWN EDU>
Date: Fri, 12 Jun 2009 12:00:32 -0400


Is it correct to conclude that a university identification card becomes
a financial transaction card when an ISO compliant primary account
number is encoded on track 2 by the university to facilitate financial
transactions? Further, do university systems become part of "merchant"
systems by virtue of storing account numbers?

It is not clear to me that outsourcing to a third party for payment
processing exempts a university from PCI-DSS compliance.

I'd be interested in university related case law that addresses the issue.

Many thanks.

--

William D. Badertscher
Senior Engineer Facilities and Safety Control Systems
Georgetown University, Information Services
3300 Whitehaven Street, N.W.
Suite 2000, Room 2007
Office: 202-687-3541
Mobile: 202-731-2758
Fax: 202-687-1505
URL: http://www.georgetown.edu/

Attachment: wdc8.vcf
Description:

Current thread:

PCI- DSS Scope ? Bill Badertscher (Jun 12)
- <Possible follow-ups>
- Re: PCI- DSS Scope ? Jason Testart (Jun 12)
- Re: PCI- DSS Scope ? Ken Rowe (Jun 12)
- Re: PCI- DSS Scope ? Megan Carney (Jun 15)
- Re: PCI- DSS Scope ? Michael Johnson (Jun 15)
- Re: PCI- DSS Scope ? Allison Dolan (Jun 15)