Re: PCI Processing Practices

[Roger A Safian <r-safian () NORTHWESTERN EDU>]

+1

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel Rosenblatt
> Sent: Friday, September 30, 2011 2:14 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] PCI Processing Practices
>
> Hi,
>
> Our policy
>
> <http://policylibrary.columbia.edu/ecommerce-electronic-protection-credit-
> card-holder-information-policy>
>
> states that all PCI transactions must be outsourced, however that does not
> get you off the hook for PCI compliance if your University owns the MIDs for
> the accounts or acts as agents (enters the CC number for others - i.e. Mail
> order/Telephone order (MO/TO) transactions.
>
> Thanks,
> Joel
>
> --On Friday, September 30, 2011 6:41 PM +0000 "Paula E. Johnson"
> <pejohns () UARK EDU> wrote:
>
> > We are reviewing our campus PCI processing practices and are curious
> > how many of you have decided to do your own credit card processing and
> > how may have decided to totally outsource this sort of transaction.  Can
> you please respond with whether you satisfy your PCI needs internally,
> outsourced, or a combination. Thanks in advance for your help.
> > Paula E. Johnson
> > Fiscal Support Supervisor
> > IT Services
> > University of Arkansas
> > Fayetteville, AR 72701
> > 479-575-5870
>
>
>
> Joel Rosenblatt, Manager Network & Computer Security Columbia
> Information Security Office (CISO) Columbia University, 612 W 115th Street,
> NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3