Re: PCI- DSS Scope ?

[Michael Johnson <mjohnson () COMPLYGUARDNETWORKS COM>]

I wish to highlight that as of May 09 there are 44 states with breech
notification laws that cover Personally Identifiable Information (PII)
of which card holder data is considered part.

http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnolo
gy/SecurityBreachNotificationLaws/tabid/13489/Default.aspx

 

One person's opinion... It is best to use a standards based practice to
build protecting PII. PCI DSS is the closest thing to an almost
universally accepted methodology.

 

I agree with Megan in the prior post regarding third party handling of
card holder data. Please consider the collect store or transmit concept.
Even though you may choose to outsource some or all of your
"processing", the merchant account owner has the ultimate responsibility
to protect the data.

 

 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Megan Carney
Sent: Monday, June 15, 2009 12:15 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI- DSS Scope ?

 

On Friday 12 June 2009 11:00:32 Bill Badertscher wrote:
> Is it correct to conclude that a university identification card
becomes
> a financial transaction card when an ISO compliant primary account
> number is encoded on track 2 by the university to facilitate financial
> transactions? Further, do university systems become part of "merchant"
> systems by virtue of storing account numbers?
PCI DSS only covers credit card numbers though it is always wise to use
best practices when you're dealing with numbers that link to financial
accounts. Ultimately, of course, management is one the who makes the
call when it comes to what is an acceptable amount of risk for a
specific service.



 

> It is not clear to me that outsourcing to a third party for payment
> processing exempts a university from PCI-DSS compliance.
It doesn't exempt you from PCI-DSS compliance though it does change your
burden. What has been said before on this list is essentially true, what
matters is where the credit card numbers are entered and stored. If they
never touch your systems, you just need to make sure your vendor is PCI
compliant (though compliance doesn't necessarily indicate there's no
risk).
> I'd be interested in university related case law that addresses the
issue.
> Many thanks.



 

--
Megan Carney
Security Coordinator
OIT Security and Assurance
612-625-3858
carn0048 () umn edu



 

Merlin Mann's rules for sensible email:
1. Know why you're writing and what result you would like to see.
2. Make clear whether you are providing information, requesting
information, or requesting action.
3. Write a great subject line.
4. Brevity is the soul. . .of getting a response.
5. Make clear what the next action is.
6. Keep messages and threads limited to one topic or project.



 

www.43folders.com/2005/09/19/writing-sensible-email-messages