Educause Security Discussion mailing list archives

Re: PCI and banks that use Akamai

From: Michael Johnson <mjohnson () COMPLYGUARDNETWORKS COM>
Date: Mon, 14 Jun 2010 15:19:34 -0500

Acquiring banks must report on compliance of all their merchants to the
card brands. There are specific reports and formats they have to work
with. (Find them on the VISA and MasterCard web properties.)

All of these operations will be concerned with the security of PII, a
subset is PCI. All merchant account owners and service providers that
collect store or transmit card holder data are subject to the PCI DSS.

As to the relevance of Akamai... it really depends on implementation. It
is only a piece of the PCI requirement for a merchant or service

A bigger challenge is the concept of "cloud computing" when someone
impacted by PCI does not know where their data is and who has access to
it. By definition this means PII too.

Michael Johnson, QSA

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John Ladwig
Sent: Monday, June 14, 2010 4:04 PM
Subject: Re: [SECURITY] PCI and banks that use Akamai

I would assert that not all online banking applications need to be PCI
compliant, as not all online banking environments would necessarily
touch CHD (cardholder data).   And retail online banking != commercial
online banking != acquiring bank, at least not necessarily.

And for the record, acquiring banks don't have to assure that their
(level 4 at least - that's my current wheelhouse) merchants are
compliant, that's the merchant's contractual obligation.  So far as I
can tell, to the acquiring bank, a noncompliant merchant is simply
another fees-based revenue opportunity.

Best to verify.  


"Daniel, Jack" <jdaniel () CONCORDANT COM> 2010-06-14 14:56 >>>
A lot of banks do "get it" and just about ALL larger banks have to be
PCI compliant.  It's not just the merchants but the service providers.
The banks have to ensure their merchants are compliant as well as ensure
that they are compliant as a service provider.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeffrey Schiller
Sent: Monday, June 14, 2010 3:39 PM
Subject: Re: [SECURITY] PCI and banks that use Akamai

Hash: SHA1

On 06/14/2010 03:33 PM, John Ladwig wrote:
Hm.  No reason a bank *would* use a PCI service, regardless of how
reasonable a thing that'd be from an infosec perspective.

And I think step 1 would still be 'understand Akamai's PCI service
offering and its relevance to the problem at hand," if it were cited
by a bank.

We should also be a bit careful here. In general PCI is all about
accepting credit cards as a form of payment. In particular PCI is
focused on credit card merchants. It is not really oriented toward
banks and generic banking transactions. I am not even sure that a bank
has to *be* PCI compliant.

I do not have any familiarity with Akamai's PCI service offerings, but
I suspect it is a high performance payment system, probably not a
generic "secure" platform.

- From my experience, I would expect that some banks "get it" when it
comes to IT security, and others do not. In particular I would be
concerned about small credit unions.


- --
Jeffrey I. Schiller
MIT Network Manager/Security Architect
PCI Compliance Officer
Information Services and Technology
Massachusetts Institute of Technology
77 Massachusetts Avenue  Room W92-190
Cambridge, MA 02139-4307
617.253.0161 - Voice
jis () mit edu 

Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - 


Current thread: