Educause Security Discussion mailing list archives
Re: PCI
From: Brad Judy <Brad.Judy () COLORADO EDU>
Date: Wed, 4 Oct 2006 10:52:11 -0600
Just think about it; a centralized, hardened, access-controlled, processed-documented and closely monitored payment database
You're making a LOT of assumptions about the quality of security and compliance for card systems. Unless a campus is certain that their PCI systems are at this level, I would start by identifying them and doing some assessment. Yes, student PII protection is probably a bigger issue to tackle at most schools, but don't assume card systems are secure - verify it. Brad Judy
Switching gears, version 1.1 of the standards are out at their website (https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf) and the new version does contain a handful of non-trivial changes for those wanting to keep on top of this issue. ____________________________________________ Blake Penn, CISSP Information Security Officer University of Wisconsin-Whitewater (p) 262-472-7792 (f) 262-472-1285 pennb () uww edu | http://www.uww.edu/security/ -----Original Message----- From: Mclaughlin, Kevin L (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU] Sent: Wednesday, October 04, 2006 8:57 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI Hi: I have been asked to look into PCI (credit card) compliance for my university. I was wondering if anyone knew of documented cases where institutions of higher learning have been fined by VISA for non-compliance. Thanks, -Kevin Kevin L. McLaughlin CISSP, PMP, ITIL Master Certified Director, Information Security University of Cincinnati 513-556-9177 (w) 513-703-3211 (m) mclaugkl () ucmail uc edu CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential, intended solely for the addressee, and may be legally privileged. Access to this message and its content by any individual or entity other than those identified in this message is unauthorized. If you are not the intended recipient, any disclosure, copying or distribution of this e-mail may be unlawful. Any action taken or omitted due to the content of this message is prohibited and may be unlawful.
Current thread:
- PCI Mclaughlin, Kevin L (mclaugkl) (Oct 04)
- <Possible follow-ups>
- Re: PCI Valdis Kletnieks (Oct 04)
- Re: PCI Theresa M Rowe (Oct 04)
- Re: PCI Conor McGrath (Oct 04)
- Re: PCI Brad Judy (Oct 04)
- Re: PCI Penn, Blake (Oct 04)
- Re: PCI Brad Judy (Oct 04)
- Re: PCI Jim Dillon (Oct 04)
- Re: PCI Mclaughlin, Kevin L (mclaugkl) (Oct 04)
- Re: PCI Steve Lovaas (Oct 05)