Re: PCI Compliance

[Jeff h <holden.tech () gmail com>]

Thanks!  I am relatively new to my current position.  Apparently my
employer has been going round and round with this company to get their s*!t
straight with little success. Unfortunately I work in the Education sector
and have little flexibility when it comes to getting rid of this vender, we
do have it in the contract that they must be PCI compliant. I am scheduling
a meeting with them to give them some motivation to remediate this.

Thanks,
Jeff


On Thu, Apr 11, 2013 at 10:23 PM, Nathan Sweaney <nathan () sweaney com> wrote:

> You are correct. The merchant of record (whoever signs the contract to
> accept credit cards) is responsibly for completely complying with the
> entire PCI-DSS (and any other security requirements provided by the card
> brands that they accept). This is spelled out in their Merchant Agreement
> contract with their processor or acquiring bank. I obviously haven't seen
> their contract, but I've looked at tons from various banks and they all
> have the exact same boilerplate sections provided by the card brands.
>
> It sounds like they are the merchant of record, but it's your customers
> whose cards will be processed. If so, that puts you in an awkward position.
> Legally the vendor will liable for any fines associated with a breach, but
> your name could be smeared because they were your customers. If you have
> any leverage, you might insist they provide a copy of their merchant
> agreement, or even a letter from their bank attesting that they don't have
> to fully comply. They won't be able to do that, but it might help you
> convince them that they're wrong.
>
>
> On Thu, Apr 11, 2013 at 4:04 PM, Jeff h <holden.tech () gmail com> wrote:
>
> > I have a question I hope someone can answer regarding PCI.  We have a
> > vender that we use that hosts an application.  The vender says they are a
> > Level 4 merchant and use a third party for all credit card transactions. So
> > they would have to fill out a SAQ C and have an external scan by an
> > approved vender.
> >
> > Do they still have to abide by all PCI DSS requirements even if they are
> > not spelled out in SAQ C, such as password length, reuse, and expiration?
> >
> > The vender has a document they describe their security controls and they
> > do not even meet PCI DSS already lax standard of at least 7 character
> > passwords. They claim that since they are level 4 they don't need to.
> >
> > My understanding was all requirements still apply even if it dosen't go
> > through every single requirement in SAQ C they still have to check the box
> > that says "I have read the PCI DSS and I recognize that I must maintain
> > full PCI DSS compliance at all times"
> >
> > So who is correct?
> >
> > Thanks,
> > Jeff
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com