Re: PCI- DSS Scope ?

[Megan Carney <carn0048 () UMN EDU>]

On Friday 12 June 2009 11:00:32 Bill Badertscher wrote:
> Is it correct to conclude that a university identification card becomes
> a financial transaction card when an ISO compliant primary account
> number is encoded on track 2 by the university to facilitate financial
> transactions? Further, do university systems become part of "merchant"
> systems by virtue of storing account numbers?
PCI DSS only covers credit card numbers though it is always wise to use best
practices when you're dealing with numbers that link to financial accounts.
Ultimately, of course, management is one the who makes the call when it comes
to what is an acceptable amount of risk for a specific service.

> It is not clear to me that outsourcing to a third party for payment
> processing exempts a university from PCI-DSS compliance.
It doesn't exempt you from PCI-DSS compliance though it does change your
burden.  What has been said before on this list is essentially true, what
matters is where the credit card numbers are entered and stored.  If they
never touch your systems, you just need to make sure your vendor is PCI
compliant (though compliance doesn't necessarily indicate there's no risk).
> I'd be interested in university related case law that addresses the issue.
>
> Many thanks.

--
Megan Carney
Security Coordinator
OIT Security and Assurance
612-625-3858
carn0048 () umn edu

Merlin Mann's rules for sensible email:
1. Know why you're writing and what result you would like to see.
2. Make clear whether you are providing information, requesting information,
or requesting action.
3. Write a great subject line.
4. Brevity is the soul. . .of getting a response.
5. Make clear what the next action is.
6. Keep messages and threads limited to one topic or project.

www.43folders.com/2005/09/19/writing-sensible-email-messages