MarketPlace Information

North Foundation Hall, Room 120
318 Meadow Brook Road
Rochester, MI 48309-4454
(location map)

PCI DSS Compliance

PCI DSS is a mature standard to which we have all been adhering to for a number of years. It is easy to allow things to just settle in as you maintain your compliance program. However, compliance is not an end game. Here are two thoughts that we urge you to consider:

  • Do not become complacent with compliance. Continually reevaluate and reassess your environment to ensure you continue to meet all criteria for relevant systems. Do not just meet the letter of the law; consider the intent, also.
  • Go beyond compliance. Compliance is fine, but security should be your goal. At the end of the day, can you say that your systems are secure?

Information extracted from the TouchNet SafeCommerce Bulletin

As stated by MasterCard: "[while hosted payment pages] may help the merchant in reducing PCI DSS scope, it does not remove the need for a robust information security program to be implemented around the merchant's web environment to mitigate data security vulnerabilities."

Consider the following example. You have a web page at your university that links over to your TouchNet U.Commerce application. If an attacker can modify your page to link or redirect users to their own site and craft their site to appear like a typical payment page, then they may be successful at compromising your constituents' card data and other personal information.

While a web page that merely links over to the payment pages may technically be considered "out of scope" for PCI DSS, it is not out of scope for attackers. You are urged to consider such sites when designing, implementing, and operating your security controls.