Procurement Cards Can Be Breached, Too

The University of Vermont reported that up to 240 university-funded procurement cards appear to have been compromised/breached. I don't know all the details, but it gives me the opportunity to raise two important points. The first is that your procurement, purchasing, travel, whatever cards are payment cards. They have PANs. They can be compromised and when that happens many of these cards with their high limits are pretty attractive to the bad guys. AND, they are in your PCI scope. Nothing in PCI talks about merchants only: PCI applies if you store, process, or transmit payment card data. Many schools have databases sitting in their Procurement or Treasury departments and trust me...if I do your PCI assessment, they will be included in your scope.The second observation is that reportedly, the university found out when their bank called them. Congratulations to the bank. And another example of "you're the last to know."I am thinking of the old television announcements that used to come on late in the evening: "It's 10 o'clock; do you know where your children are?" I now want to re-phrase that to: "It's time to be PCI compliant; do you know where all your carholder data are?" Give it a (continue reading...)