Re: Fw: PCI Compliance Policies

[Brad Judy <Brad.Judy () COLORADO EDU>]

I'm sorry, but saying you "don't like to promote your services" does not
make an advertisement into an informational note.  Removing all
references to your product/services is the proper direction to take, not
attaching a service flyer and plugging your services in the message as
well.

This is out of line for this list IMO and isn't the first time this
issue has arisen with this company IIRC.   

Brad Judy

IT Security Office
University of Colorado at Boulder

> -----Original Message-----
> From: Nick Fasano [mailto:Nick_Fasano () RAPID7 COM] 
> Sent: Thursday, July 19, 2007 11:53 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Fw: PCI Compliance Policies
>
>
> As a PCI vendor, I do not want to promote my services or my 
> organization but I think information is key.  Rapid7 LLC is 
> an ASV (Authorized Scanning Vendor) for PCI compliance.  The 
> PCI  security council requires vendors to standardize their 
> services around PCI and pass some serious test in the 
> MasterCard Security Lab in Europe.  There are some very basic 
> requirements that merchants need to follow that take card data: 
>
> 1. Quarterly vulnerability scans performed by an ASV.   
> 2. Annual Penetration test performed by a third party vendor.   
>
> Your qtrly scans need to follow the PCI standard templates 
> and are provided to your Acquiring Bank or processor.  The 
> ASV is required to provide this data to you (as a merchant) as well. 
>
> Rapid7 offers 2 types of services around PCI.  1. Is a 
> managed service approach with Professional Services running 
> the quarterly scans.  2. A self service portal that a 
> merchant can run the third party scans on their own: pci.rapid7.com 
>
>
>
>
> Nick Fasano
> Rapid7 LLC
> 617 247 1717 Office
> 857 288 7411 Direct IP Phone
> 866 7 RAPID7 (866 772 7437)
> 781 640 7945 Mobile
> 617 507 6488 Fax
> nick_fasano () rapid7 com
>
> http://www.rapid7.com/pressreleases/carnegiemellon.jsp
> NeXpose - Winner of SC Magazine Awards "Best Vulnerability 
> Management" Product of 2007.
>
> ----- Forwarded by Nick Fasano/Rapid7/US on 07/19/2007 01:41 PM ----- 
>
>       Theresa M Rowe <rowe () OAKLAND EDU> 
>
> 07/19/2007 01:30 PM 
> Please respond to rowe         
>         To:        SECURITY () LISTSERV EDUCAUSE EDU 
>         cc:         
>         Subject:        Re: PCI Compliance Policies
>
>
>
> The date doesn't appear on the PCI site, but our bank and 
> other orgs are giving this date - For example 
> http://www.gfi.com/security/pci.htm
> Furthermore, PCI DSS compliance needs to be achieved by 
> September, 2007 - this is the deadline posed by credit card 
> companies. Organizations that fail to comply face fines of up 
> to $500,000 if the data is lost or stolen and risk not being 
> allowed to handle cardholder data. 
>
> http://searchsmb.bitpipe.com/detail/RES/1178314942_651.html
> Most retailers and solutions providers believe that 
> September, 2007 will be the true deadline after which Visa 
> will begin levying fines on acquirers whose merchants who are 
> not compliant with the standard. 
>
>
> ---- Original message ----
> > Date: Thu, 19 Jul 2007 12:20:04 -0500
> > From: Roger Safian <r-safian () northwestern edu>
> > Subject: Re: [SECURITY] PCI Compliance Policies
> > To: rowe () oakland edu, SECURITY () LISTSERV EDUCAUSE EDU
> >
> > At 12:14 PM 7/19/2007, Theresa M Rowe put fingers to 
> keyboard and wrote:
> > > Is ANYONE going to be compliant by the September deadline?? 
>  Did you 
> > > use a consultant to get there?
> >
> > What is the September deadline?  I thought compliance was 
> supposed to 
> > start on 1/1/06?
> >
> > FWIW, we're still working on compliance...it's pretty time consuming.
> >
> >
> > --
> > Roger A. Safian
> > r-safian () northwestern edu (email) public key available on 
> many key servers.
> > (847) 491-4058   (voice)
> > (847) 467-6500   (Fax) "You're never too old to have a great 
> childhood!"
> >
> Theresa Rowe
> Assistant Vice President
> University Technology Services
> www.oakland.edu/uts - the latest news from University 
> Technology Services