Educause Security Discussion mailing list archives
Re: PCI- DSS Scope ?
From: Michael Johnson <mjohnson () COMPLYGUARDNETWORKS COM>
Date: Mon, 15 Jun 2009 11:28:35 -0500
I wish to highlight that as of May 09 there are 44 states with breech notification laws that cover Personally Identifiable Information (PII) of which card holder data is considered part. http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnolo gy/SecurityBreachNotificationLaws/tabid/13489/Default.aspx One person's opinion... It is best to use a standards based practice to build protecting PII. PCI DSS is the closest thing to an almost universally accepted methodology. I agree with Megan in the prior post regarding third party handling of card holder data. Please consider the collect store or transmit concept. Even though you may choose to outsource some or all of your "processing", the merchant account owner has the ultimate responsibility to protect the data. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Megan Carney Sent: Monday, June 15, 2009 12:15 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI- DSS Scope ? On Friday 12 June 2009 11:00:32 Bill Badertscher wrote:
Is it correct to conclude that a university identification card
becomes
a financial transaction card when an ISO compliant primary account number is encoded on track 2 by the university to facilitate financial transactions? Further, do university systems become part of "merchant" systems by virtue of storing account numbers?
PCI DSS only covers credit card numbers though it is always wise to use best practices when you're dealing with numbers that link to financial accounts. Ultimately, of course, management is one the who makes the call when it comes to what is an acceptable amount of risk for a specific service.
It is not clear to me that outsourcing to a third party for payment processing exempts a university from PCI-DSS compliance.
It doesn't exempt you from PCI-DSS compliance though it does change your burden. What has been said before on this list is essentially true, what matters is where the credit card numbers are entered and stored. If they never touch your systems, you just need to make sure your vendor is PCI compliant (though compliance doesn't necessarily indicate there's no risk).
I'd be interested in university related case law that addresses the
issue.
Many thanks.
-- Megan Carney Security Coordinator OIT Security and Assurance 612-625-3858 carn0048 () umn edu Merlin Mann's rules for sensible email: 1. Know why you're writing and what result you would like to see. 2. Make clear whether you are providing information, requesting information, or requesting action. 3. Write a great subject line. 4. Brevity is the soul. . .of getting a response. 5. Make clear what the next action is. 6. Keep messages and threads limited to one topic or project. www.43folders.com/2005/09/19/writing-sensible-email-messages
Current thread:
- PCI- DSS Scope ? Bill Badertscher (Jun 12)
- <Possible follow-ups>
- Re: PCI- DSS Scope ? Jason Testart (Jun 12)
- Re: PCI- DSS Scope ? Ken Rowe (Jun 12)
- Re: PCI- DSS Scope ? Megan Carney (Jun 15)
- Re: PCI- DSS Scope ? Michael Johnson (Jun 15)
- Re: PCI- DSS Scope ? Allison Dolan (Jun 15)