Re: PCI- DSS Scope ?

[Ken Rowe <kenrowe () UILLINOIS EDU>]

Using a Service Provider may or may not exempt you from PCI-DSS. Generally,
the level of services provided will determine which Self-Assessment
Questionnaire (SAQ) you need to complete and the associated cost of meeting
compliance. Being at an SAQ-D level is significantly higher compliance cost
that SAQ-C.

However, my understanding is that PCI-DSS only applies to the Payment
process. Having an University ID card that also functions as a Debit Card
(e.g., functioning both as ID and a Bank card) does not fall under PCI-DSS
-- just Red Flag. So still a compliance issue.

While compliance can help get the funding needed to secure the systems,
there are still pieces of this that don't fall under PCI DSS or Red Flag,
but would be just as costly to the Univ's reputation and potential
litigation.

Ken.
==
Ken Rowe
Director of Enterprise Systems Assurance and Information Security
University Office of Administrative Information Technology Services
University of Illinois
50 Gerty Drive, MC-673
Champaign, IL 61820

==================
On 6/12/09 11:00 AM, "Bill Badertscher" <wdc8 () georgetown edu> wrote:

> Is it correct to conclude that a university identification card becomes
> a financial transaction card when an ISO compliant primary account
> number is encoded on track 2 by the university to facilitate financial
> transactions? Further, do university systems become part of "merchant"
> systems by virtue of storing account numbers?
>
> It is not clear to me that outsourcing to a third party for payment
> processing exempts a university from PCI-DSS compliance.
>
> I'd be interested in university related case law that addresses the issue.
>
> Many thanks.