Educause Security Discussion mailing list archives
Re: PCI Compliance Policies
From: Brad Judy <Brad.Judy () COLORADO EDU>
Date: Thu, 19 Jul 2007 12:53:32 -0600
We've been doing PCIDSS compliance actions for some time now, including quarterly scans from an approved vendor, annual self-assessment forms for each department, etc. We don't have a specific PCIDSS policy (although any systems that store CC#'s fall into our private data security policy) partially because, to me, it seems like any policy statement would end up saying "you must be compliant with applicable regulatory requirements". As mentioned, it might be best to refer departments on campus to a combination of the direct PCI info and related existing campus policies. If you're new to this, the best place to start is with the currently applicable version of the PCIDSS standards (1.1), which can be found here: https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf Then you can move on to the numerous supporting documents here: https://www.pcisecuritystandards.org/tech/supporting_documents.htm Most notable of which, IMO, are the audit procedures, which give some more detail on the requirements: https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf And the self-assessment questionnaire, which someone in your school should already be filling out: https://www.pcisecuritystandards.org/pdfs/pci_saq_v1-0.pdf The above website also maintains the list of certified assessors and scanners. Find ones that you feel comfortable with. Brad Judy IT Security Office University of Colorado at Boulder
-----Original Message----- From: Sandford, Doug [mailto:doug () UA EDU] Sent: Thursday, July 19, 2007 9:35 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI Compliance Policies Has anyone developed policies related to the process of becoming PCI compliant? Or perhaps links to some sources that have already been developed? Not having to re-invent the wheel would speed the certification process considerably. Thanks in advance..... Doug Sandford University of Alabama Office of Information Technology
Current thread:
- Re: PCI Compliance Policies, (continued)
- Re: PCI Compliance Policies Penn, Blake (Jul 19)
- Re: PCI Compliance Policies Chuck Dunn (Jul 19)
- Re: PCI Compliance Policies Theresa M Rowe (Jul 19)
- Re: PCI Compliance Policies Roger Safian (Jul 19)
- Re: PCI Compliance Policies Theresa M Rowe (Jul 19)
- Re: PCI Compliance Policies Doug Markiewicz (Jul 19)
- Fw: PCI Compliance Policies Nick Fasano (Jul 19)
- Re: PCI Compliance Policies Penn, Blake (Jul 19)
- Re: PCI Compliance Policies Roger Safian (Jul 19)
- Re: PCI Compliance Policies Jones, Dan (Jul 19)
- Re: PCI Compliance Policies Brad Judy (Jul 19)
- Re: Fw: PCI Compliance Policies Brad Judy (Jul 19)
- Re: Fw: PCI Compliance Policies Roger Safian (Jul 19)
- Re: PCI Compliance Policies Curt Wilson (Jul 26)
- Re: PCI Compliance Policies Brad Judy (Jul 26)
- Re: PCI Compliance Policies Scott O. Bradner (Jul 31)
- Re: PCI Compliance Policies Scott O. Bradner (Jul 31)