Educause Security Discussion mailing list archives
Re: PCI- DSS Scope ?
From: Allison Dolan <adolan () MIT EDU>
Date: Mon, 15 Jun 2009 13:07:15 -0400
RE: Michael's comment about using PCI DSS to protect PII -Although most states have some form of a breach notification law, and PCI DSS provides a methodology to protect data, there are at least a few things to keep in mind
1) PCI DSS is an industry standard; state breach laws (and now federal breach laws in the HITECH Act) answer to a very different set of authorities.
2) Most organization probably know what processes involve the collection/use of PCI data; most organizations probably cannot easily list all the processes that currently or have ever collected PII, especially SSN. Many more individuals/departments are likely involved (compared to PCI) . All the different processes may have different reasons for collecting/using/keeping PII. And it is much harder to think about outsourcing handling of PII.
3) Some states, including Massachusetts, extend requirements to paper as well as electronic records.
Allison F. Dolan Program Director, Personally Identifiable Information Massachusetts Institute of Technology 77 Massachusetts Ave NE49-3021 Cambridge MA 02139-4307 Phone: (617) 252-1461 http://mit.edu/infoprotect On Jun 15, 2009, at 12:28 PM, Michael Johnson wrote:
I wish to highlight that as of May 09 there are 44 states with breech notification laws that cover Personally Identifiable Information (PII) of which card holder data is considered part. http://www.ncsl.org/IssuesResearch/ TelecommunicationsInformationTechnology/ SecurityBreachNotificationLaws/tabid/13489/Default.aspxOne person’s opinion… It is best to use a standards based practice to build protecting PII. PCI DSS is the closest thing to an almost universally accepted methodology.I agree with Megan in the prior post regarding third party handling of card holder data. Please consider the collect store or transmit concept. Even though you may choose to outsource some or all of your “processing”, the merchant account owner has the ultimate responsibility to protect the data.
Current thread:
- PCI- DSS Scope ? Bill Badertscher (Jun 12)
- <Possible follow-ups>
- Re: PCI- DSS Scope ? Jason Testart (Jun 12)
- Re: PCI- DSS Scope ? Ken Rowe (Jun 12)
- Re: PCI- DSS Scope ? Megan Carney (Jun 15)
- Re: PCI- DSS Scope ? Michael Johnson (Jun 15)
- Re: PCI- DSS Scope ? Allison Dolan (Jun 15)