Re: OrgSync and PCI Compliance

[Velislav K Pavlov <VelislavPavlov () FERRIS EDU>]

For PCI compliance you have a few ways to address if a vendor is not or does not have to be compliant, but has access 
to CDE in your organization. Some options are to include them in your PCI assessment with their cooperation, segment 
your PCI CDE from orgsync services, reevaluate if  they have to be included, or simply don't use them if you are not 
willing to deal with or tolerate any risk.  My suggestion is to check with the vendor providing PCI compliance services 
for your University for guidance and suggestion as they should understand your environment better.


Vel Pavlov | Sr. IT Security Analyst
M.Sc., CISSP, C|EH, C)PTE, Security+, Rapid7 CNA & MPCS, ITIL, A+
Ferris State University
Phone (231)-591-5613<tel:%28231%29-591-5613>
For service requests, please contact the
Technology Assistance Center (TAC)<http://www.ferris.edu/techsupport/>


This message contains information which may be confidential and privileged. Unless you are the intended addressee (or 
authorized to receive for the intended addressee), you may not use, copy or disclose to anyone the message or any 
information contained in the message. If you have received the message in error, please contact the sender and delete 
the message.




On Jul 24, 2015, at 2:36 PM, Elizabeth Shannon <eshann () KSU EDU<mailto:eshann () KSU EDU>> wrote:

The Office of Student Life wants to use OrgSync so student organizations can accept payments via credit cards.  Of 
course, OrgSync claims they do not have to comply with PCI 3.1 because they don't process credit cards.   So does 
anyone use OrgSync with the payment gateway feature enabled or have explored this feature? Any information would be 
greatly appreciated.

----
Elizabeth Shannon
Kansas State University
Information Security and Privacy Manager
785.532.2540