Re: PCI - Third party vendors

[Brad Judy <brad.judy () CU EDU>]

PCI-DSS is a contractual arrangement from the card brands via banks to merchants.  If you are not in that contractual 
loop, how is there a compliance requirement?

Brad Judy


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Blake 
Penn
Sent: Friday, July 25, 2014 8:54 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI - Third party vendors

Craig,

The fact that they are an external entity does not obviate your PCI DSS compliance.  Any entity that processes, stores, 
or transmits CHD must comply with the standard.  The nuance here is that you don’t have an associated MID (since they 
are a third party) and therefore no associated acquirer relationship/contractual compliance obligations.  This changes 
your *enforcement/validation* requirements (there are none) but not your actual *compliance* requirements.  The way the 
card schemes see it is that CHD is their data and anyone touching it must comply with the DSS (how they would enforce 
this view is an entirely different matter).

That being said, your QSA should be able to come up with controls that may minimize (or perhaps eliminate) the scope of 
your compliance burden.  The easiest way compliance-wise is to avoid the issue, though.  I commonly see clients set up 
a separate physical network routed out to the ole’ Interwebs through a cheap consumer-grade DSL/Cable connection for 
guest wireless and other such use.  That way the networks never touch (“Don't cross the streams.”) and compliance 
really doesn’t become an issue.

Hope that helps.  Do consult with your friendly neighborhood QSA, though, for specific guidance on this issue.


Blake Penn  CISSP, PCIP, MCSE, MCSD, MCDBA, QSA, ISMS Principal Auditor
Principal Consultant
t: 678.685.1277

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

DISCLAIMER: The views represented in this message reflect the personal opinions of the author alone and do not 
neccessarily reflect the opinions of Trustwave.


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Drake, 
Craig
Sent: Thursday, July 24, 2014 4:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] PCI - Third party vendors

We have a new coffee shop going into our library.  They are completely run by an external entity not associated with 
the university.  They want to connect their terminals to our university network (possibly wireless) to transmit their 
credit card transactions.  What do we need to be concerned with in terms of PCI compliance with them running this 
through our networks?

Thank you,
-Craig

Craig Drake

University Technology Services
Northeastern Illinois University
5500 North St. Louis Avenue, Chicago, IL 60625
Phone: (773) 442-4386
Email: C-Drake () neiu edu<mailto:C-Drake () neiu edu>

www.neiu.edu<http://www.neiu.edu>

[http://homepages.neiu.edu/~markdep/images/neiu_wordmark_color_email.png]

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under 
applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, 
distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If 
you received this transmission in error, please immediately contact the sender and destroy the material in its 
entirety, whether in electronic or hard copy format.