I have long been a bit of a stickler on managing your PCI service providers. Many of you, my clients, know that. In particular, I truly believe that PCI Requirement 12.8 is your friend. Now I have company...the Federal Trade Commission, of all people.
For those of you who are not familiar with each PCI requirement, 12.8 and its four subsections address how you manage your PCI service providers. Service providers are organizations who either store, process, or transmit cardholder data for you or who can affect the security of your transaction (e.g., managed services providers).
In particular, PCI Requirement 12.8.2 stipulates that you have "a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess." That bit about being "responsible for the security of cardholder data" is the important part as the FTC found out in its own way.
The sites in question were developed by public relations firm Fleishman-Hilliard, which hosted the sites on resources provided by hosting and cloud services provider Media Temple. The two firms are currently duking it out in a very public finger-pointing spat reported by Ars Technica, which also brought to light the fact that the $1.5 million contract to develop the sites initially included security provisions during the acquisition process but then dropped those requirements. [emphasis added]
I'll let you read the entire article, but the lesson is that you don't want something like that to happen to your school's ecommerce or other hosted sites. PCI 12.8 was put there to protect you, and you want to be sure to follow it. And above all, don't negotiate-out any security provisions or guarantees.
You also might want to include PCI compliance language in all your contracts for third party merchants on campus like bookstores, food service, craft fairs, the circus (really!) or other entertainment providers. It's your institution's brand that is at risk, and as I've said before, PCI is your friend.