Vendors Running CCs over Your Network

[BrianR]

Can someone explain the consequences of allowing a vendor to run card transactions over your network to their processor. I am talking about a vendor with a store on the entity's grounds transacting business. This would also be a situation were the vendor maintains a merchant number independent of the contracting entity. It would appear that would make the entities network a service provider to the vendor; however, I am not really clear what PCI DSS requirements would kick-in for the entity due to the network use of the vendor.

[jonassono]

All of the PCI compliance responsibility resides with the merchant and, in this case, none with the entity. The issue is how the CC transactions are secured, i.e. properly encrypted to protect them (see Requirement 4.1).

The specific exclusion for this example is in the 1.2 Glossary of Terms and reads for the definition of a service provider:

"Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded".

[jbhall56]

I would say that you would be on the hook for the items in Appendix A of the PCI Security assessment Procedures that requires you to ensure the physical security of your equipment that provide the conduit. The reason is that you are not a telecommunications common carrier like AT&T or Verizon, you are a private organization that is providing network access to another organization.

[cmark]

Both answers are partially correct. First, the vendor is a merchant and has responsibility to protect data being sent over 'untrusted networks'. If you allow your vendor to send transactions over your network unencrypted you are now accepting responsibility as a Service Provider and must secure your network. You aslo assume quite a bit of liability.

Best suggestion....tell the Vendor to encrypt the data and it removes your network from scope..

[BrianR]

Thanks to everyone replying to this post. I had difficulty deciphering exactly how PCI DSS dealt with this issue. The vendor in question is reportedly encrypting card info to their processor over the network. Once I get verification I at least know which PCI direction that should be taken.

[derra]

I would also have a look at the contract you have with this merchant. Who is responsible for what and what happends if "you" get hacked and loose that merchants cardholder data?