Educause Security Discussion mailing list archives
Re: PCI DSS and level 2 merchants
From: Tom Davis <tdavis () IU EDU>
Date: Wed, 15 Jul 2009 10:40:28 -0400
I wanted to point out one particular post on the Treasury Institute's blog. The PCI Council has opened feedback on the PCI-DSS v1.2 as well as PA-DSS v1.2 standards. Now is the time for us (higher education) to make suggestions. You can find the blog post, as well as instructions on how to provide feedback to the Council, here: http://treasuryinstitute.org/blog/index.php?itemid=265 Sincerely, -- Tom Davis, CISSP, CISM Chief Information Security Officer Information and Infrastructure Assurance Office of the VP for Information Technology and CIO Indiana University https://informationsecurity.iu.edu/Tom_Davis On Jun 26, 2009, at 2:12 PM, Brad Judy wrote:
I hadn't seen this topic discussed on either of these lists yet, so I thought I'd send out a note. Forgive me for the cross-post, but it's a topic right on the border of these discussion groups. Earlier this month, MasterCard announced revised rules for PCI-DSS compliance. In particular, level 2 merchants are now required to have an external QSA (qualified security assessor) perform an annual ROC (report on compliance), rather than self assess. Level 2 merchants are required to have their first ROC by the end of 2010. All of this brings up speculation about impact to merchants: will it motivate more outsourcing to get below level 2, how much financial burden does it bring, and how much non-compliance will it bring to light? Then there's the impact to assessors: how busy will QSA's be, will there be rapid growth in the QSA market, and will the quality of QSA's be impacted (assuming a lot of rookies are brought into play to cover the increased needs)? For tracking PCI issues in higher ed, the Treasury Institute has a nice blog with RSS feed option here: http://treasuryinstitute.org/blog/ Worth noting is this blog posting (linked from the above blog) - http://blogs.verisign.com/securityconvergence/2009/06/the_final_word_on_mast ercards.php which mentions that the MasterCard level 2 definition includes the level 2 definitions of other brands, meaning 50,000 American Express transactions puts you into level 2. And, never forget, that it's all about what your bank expects of you. Make sure you know what level your bank considers you, and what they expect from you. Brad Judy
Current thread:
- Re: PCI DSS and level 2 merchants Tom Davis (Jul 15)