Re: PCI

[Brad Judy <Brad.Judy () COLORADO EDU>]

I'm curious why you're looking for documented cases of fines when
looking into PCI compliance.  Compliance is a requirement to doing
business and lack of compliance, let alone an incident, could be reason
for a bank to suspend merchant ID's (although it's unlikely they would
yank your ID's just for non-compliance).  This seems like a far more
motivating point than fines - how many dollars would your campus lose
per day if they couldn't process cards?

As for documented fine cases, I can't think of any off-hand, but I
suspect anyone being fined doesn't advertise the fact. 

Also keep in mind that the first step in a non-compliance situation is
likely going to be stricter audit requirements before a fine.  These
audit requirements can be very expensive depending on the scope and
depth (into six figures, depending on scope).  

Not to mention the financial (not even counting fines) and reputation
costs associated with a security incident involving a card processing
system.  All of these items are motivation to ensure good security
measures and PCIDSS compliance without even getting into fines.

Some starting points if you're just getting into the topic:

Do you know your merchant level?
Do you know the PCIDSS requirements that come with that level?
Do you know who on campus has merchant IDs?
Do you know who on campus is processing cards via computer (instead of
'swipe-and-dial' type systems)?
Is there someone in charge of ASA's (annual self assessments) on your
campus?
Does your campus have a contracted PCIDSS auditor (your merchant level
might require periodic external assessment of some level)?
Who on your campus is in charge of managing the relationship with the
bank (or does each department do this themselves)?
Are your campus merchants aware of PCIDSS requirements?

Brad Judy

IT Security Office
Information Technology Services
University of Colorado at Boulder

> -----Original Message-----
> From: Mclaughlin, Kevin L (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU] 
> Sent: Wednesday, October 04, 2006 7:57 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] PCI
>
> Hi:
>
> I have been asked to look into PCI (credit card) compliance 
> for my university.  I was wondering if anyone knew of 
> documented cases where institutions of higher learning have 
> been fined by VISA for non-compliance.
>
> Thanks,
> -Kevin
>
>
> Kevin L. McLaughlin
> CISSP, PMP, ITIL Master Certified
> Director, Information Security
> University of Cincinnati
> 513-556-9177 (w)
> 513-703-3211 (m)
> mclaugkl () ucmail uc edu
>  
>  
>  
>  
> CONFIDENTIALITY NOTICE: This e-mail message and its content 
> is confidential, intended solely for the addressee, and may 
> be legally privileged. Access to this message and its content 
> by any individual or entity other than those identified in 
> this message is unauthorized. If you are not the intended 
> recipient, any disclosure, copying or distribution of this 
> e-mail may be unlawful. Any action taken or omitted due to 
> the content of this message is prohibited and may be unlawful.
>