Educause Security Discussion mailing list archives

Re: PCI

From: Brad Judy <Brad.Judy () COLORADO EDU>
Date: Wed, 4 Oct 2006 10:52:11 -0600

Just think about it; a centralized, 
hardened, access-controlled, processed-documented and closely 
monitored payment database


You're making a LOT of assumptions about the quality of security and
compliance for card systems.  Unless a campus is certain that their PCI
systems are at this level, I would start by identifying them and doing
some assessment.

Yes, student PII protection is probably a bigger issue to tackle at most
schools, but don't assume card systems are secure - verify it.

Brad Judy


Switching gears, version 1.1 of the standards are out at their website
(https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf) 
and the new version does contain a handful of non-trivial 
changes for those wanting to keep on top of this issue.

____________________________________________
Blake Penn, CISSP                             
Information Security Officer          
University of Wisconsin-Whitewater
(p) 262-472-7792 (f) 262-472-1285
pennb () uww edu | http://www.uww.edu/security/  


-----Original Message-----
From: Mclaughlin, Kevin L (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU]
Sent: Wednesday, October 04, 2006 8:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI

Hi:

I have been asked to look into PCI (credit card) compliance 
for my university.  I was wondering if anyone knew of 
documented cases where institutions of higher learning have 
been fined by VISA for non-compliance.

Thanks,
-Kevin


Kevin L. McLaughlin
CISSP, PMP, ITIL Master Certified
Director, Information Security
University of Cincinnati
513-556-9177 (w)
513-703-3211 (m)
mclaugkl () ucmail uc edu
 
 
 
 
CONFIDENTIALITY NOTICE: This e-mail message and its content 
is confidential, intended solely for the addressee, and may 
be legally privileged. Access to this message and its content 
by any individual or entity other than those identified in 
this message is unauthorized. If you are not the intended 
recipient, any disclosure, copying or distribution of this 
e-mail may be unlawful. Any action taken or omitted due to 
the content of this message is prohibited and may be unlawful.

Current thread:

PCI Mclaughlin, Kevin L (mclaugkl) (Oct 04)
- <Possible follow-ups>
- Re: PCI Valdis Kletnieks (Oct 04)
- Re: PCI Theresa M Rowe (Oct 04)
- Re: PCI Conor McGrath (Oct 04)
- Re: PCI Brad Judy (Oct 04)
- Re: PCI Penn, Blake (Oct 04)
- Re: PCI Brad Judy (Oct 04)
- Re: PCI Jim Dillon (Oct 04)
- Re: PCI Mclaughlin, Kevin L (mclaugkl) (Oct 04)
- Re: PCI Steve Lovaas (Oct 05)