Re: PCI Compliance Policies

["Jones, Dan" <Dan.Jones () UMASSMED EDU>]

Here is the compliance timeline:

By September 30, 2007 - Provide the name of the chosen Approved Scanning
Vendor (ASV).

By December 31, 2007 - Provide the signed Prohibited Data Retention
Attestation Form and provide the first quarterly scan results.  (NOTE:
In order to avoid potential fines, the Attestation must confirm that
there is NO evidence of prohibited data storage subsequent to
transaction authorization).

By March 31, 2008 - Provide the initial Self Assessment Questionnaire.


By June 30, 2008 - Provide a passing Self Assessment Questionnaire and
passing vulnerability scan results confirming that your organization is
PCI compliant.  An executive level officer of your organization must
also sign the attached Confirmation of Report Accuracy and include it
with the passing Self Assessment Questionnaire.


-----Original Message-----
From: Roger Safian [mailto:r-safian () NORTHWESTERN EDU] 
Sent: Thursday, July 19, 2007 1:20 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI Compliance Policies

At 12:14 PM 7/19/2007, Theresa M Rowe put fingers to keyboard and wrote:
> Is ANYONE going to be compliant by the September deadline??  Did you
use a 
> consultant to get there?

What is the September deadline?  I thought compliance was supposed to
start
on 1/1/06?  

FWIW, we're still working on compliance...it's pretty time consuming.


-- 
Roger A. Safian 
r-safian () northwestern edu (email) public key available on many key
servers.
(847) 491-4058   (voice)
(847) 467-6500   (Fax) "You're never too old to have a great childhood!"