Re: PCI - Third party vendors

[Mike Chapple <mchapple () ND EDU>]

Craig,

My take, in a situation like this, is that you would bear no responsibility
for PCI compliance.  If the entity running the coffee shop is truly a
completely independent operation, then the institution's relationship is
likely one of landlord/tenant.  Unless the contract between you specifies
that you are acting as a service provider and will operate the network in a
PCI-compliant fashion, I believe the coffee shop would bear full
responsibility for PCI compliance.  It's similar to the relationship you
have with your own ISP.

That said, it's always in your best interest to ensure that businesses
operating on your campus are acting responsibly.  If they do suffer a
breach there may be some reputational splash-back.

Best regards,
Mike


*Mike Chapple, Ph.D.*Senior Director for IT Service Delivery
Concurrent Assistant Professor, Computer Applications
University of Notre Dame
236 IT Center  *| * Notre Dame, IN 46556
*P:* 574-631-5863  *|*  *M: *574-274-0151
mchapple () nd edu


On Thu, Jul 24, 2014 at 4:30 PM, Drake, Craig <c-drake () neiu edu> wrote:

> We have a new coffee shop going into our library.  They are completely run
> by an external entity not associated with the university.  They want to
> connect their terminals to our university network (possibly wireless) to
> transmit their credit card transactions.  What do we need to be concerned
> with in terms of PCI compliance with them running this through our
> networks?
>
> Thank you,
> -Craig
>
> Craig Drake
>
> University Technology Services
> Northeastern Illinois University
> 5500 North St. Louis Avenue, Chicago, IL 60625
> Phone: (773) 442-4386
> Email: C-Drake () neiu edu
>
> www.neiu.edu


-- 

Best regards,
Mike


*Mike Chapple, Ph.D.*Senior Director for IT Service Delivery
Concurrent Assistant Professor, Computer Applications
University of Notre Dame
236 IT Center  *| * Notre Dame, IN 46556
*P:* 574-631-5863  *|*  *M: *574-274-0151
mchapple () nd edu