Educause Security Discussion mailing list archives
Re: PCI- DSS Scope ?
From: Ken Rowe <kenrowe () UILLINOIS EDU>
Date: Fri, 12 Jun 2009 12:18:55 -0500
Using a Service Provider may or may not exempt you from PCI-DSS. Generally, the level of services provided will determine which Self-Assessment Questionnaire (SAQ) you need to complete and the associated cost of meeting compliance. Being at an SAQ-D level is significantly higher compliance cost that SAQ-C. However, my understanding is that PCI-DSS only applies to the Payment process. Having an University ID card that also functions as a Debit Card (e.g., functioning both as ID and a Bank card) does not fall under PCI-DSS -- just Red Flag. So still a compliance issue. While compliance can help get the funding needed to secure the systems, there are still pieces of this that don't fall under PCI DSS or Red Flag, but would be just as costly to the Univ's reputation and potential litigation. Ken. == Ken Rowe Director of Enterprise Systems Assurance and Information Security University Office of Administrative Information Technology Services University of Illinois 50 Gerty Drive, MC-673 Champaign, IL 61820 ================== On 6/12/09 11:00 AM, "Bill Badertscher" <wdc8 () georgetown edu> wrote:
Is it correct to conclude that a university identification card becomes a financial transaction card when an ISO compliant primary account number is encoded on track 2 by the university to facilitate financial transactions? Further, do university systems become part of "merchant" systems by virtue of storing account numbers? It is not clear to me that outsourcing to a third party for payment processing exempts a university from PCI-DSS compliance. I'd be interested in university related case law that addresses the issue. Many thanks.
Current thread:
- PCI- DSS Scope ? Bill Badertscher (Jun 12)
- <Possible follow-ups>
- Re: PCI- DSS Scope ? Jason Testart (Jun 12)
- Re: PCI- DSS Scope ? Ken Rowe (Jun 12)
- Re: PCI- DSS Scope ? Megan Carney (Jun 15)
- Re: PCI- DSS Scope ? Michael Johnson (Jun 15)
- Re: PCI- DSS Scope ? Allison Dolan (Jun 15)