Educause Security Discussion mailing list archives
Re: PCI
From: Brad Judy <Brad.Judy () COLORADO EDU>
Date: Wed, 4 Oct 2006 09:13:39 -0600
I'm curious why you're looking for documented cases of fines when looking into PCI compliance. Compliance is a requirement to doing business and lack of compliance, let alone an incident, could be reason for a bank to suspend merchant ID's (although it's unlikely they would yank your ID's just for non-compliance). This seems like a far more motivating point than fines - how many dollars would your campus lose per day if they couldn't process cards? As for documented fine cases, I can't think of any off-hand, but I suspect anyone being fined doesn't advertise the fact. Also keep in mind that the first step in a non-compliance situation is likely going to be stricter audit requirements before a fine. These audit requirements can be very expensive depending on the scope and depth (into six figures, depending on scope). Not to mention the financial (not even counting fines) and reputation costs associated with a security incident involving a card processing system. All of these items are motivation to ensure good security measures and PCIDSS compliance without even getting into fines. Some starting points if you're just getting into the topic: Do you know your merchant level? Do you know the PCIDSS requirements that come with that level? Do you know who on campus has merchant IDs? Do you know who on campus is processing cards via computer (instead of 'swipe-and-dial' type systems)? Is there someone in charge of ASA's (annual self assessments) on your campus? Does your campus have a contracted PCIDSS auditor (your merchant level might require periodic external assessment of some level)? Who on your campus is in charge of managing the relationship with the bank (or does each department do this themselves)? Are your campus merchants aware of PCIDSS requirements? Brad Judy IT Security Office Information Technology Services University of Colorado at Boulder
-----Original Message----- From: Mclaughlin, Kevin L (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU] Sent: Wednesday, October 04, 2006 7:57 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI Hi: I have been asked to look into PCI (credit card) compliance for my university. I was wondering if anyone knew of documented cases where institutions of higher learning have been fined by VISA for non-compliance. Thanks, -Kevin Kevin L. McLaughlin CISSP, PMP, ITIL Master Certified Director, Information Security University of Cincinnati 513-556-9177 (w) 513-703-3211 (m) mclaugkl () ucmail uc edu CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential, intended solely for the addressee, and may be legally privileged. Access to this message and its content by any individual or entity other than those identified in this message is unauthorized. If you are not the intended recipient, any disclosure, copying or distribution of this e-mail may be unlawful. Any action taken or omitted due to the content of this message is prohibited and may be unlawful.
Current thread:
- PCI Mclaughlin, Kevin L (mclaugkl) (Oct 04)
- <Possible follow-ups>
- Re: PCI Valdis Kletnieks (Oct 04)
- Re: PCI Theresa M Rowe (Oct 04)
- Re: PCI Conor McGrath (Oct 04)
- Re: PCI Brad Judy (Oct 04)
- Re: PCI Penn, Blake (Oct 04)
- Re: PCI Brad Judy (Oct 04)
- Re: PCI Jim Dillon (Oct 04)
- Re: PCI Mclaughlin, Kevin L (mclaugkl) (Oct 04)
- Re: PCI Steve Lovaas (Oct 05)