Educause Security Discussion mailing list archives
Re: Budget for PCI DSS SAQ D for Bookstore Operations
From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Mon, 8 Aug 2011 14:50:30 -0500
A good point. Perhaps an example would be helpful. We've had a number of campus bookstore merchants move from val-type-5 (SAQ-D) to val-type-3 (SAQ-B) by changing operational practice from swiping cards through a bookstore POS which would otherwise store PANs after authorization, and instead install and use dialout POTS terminals (on Centrex lines, not internal PBX lines), changing the bookstore's PCI compliance obligations. It seems like (and several QSAs have opined that) tokenization-enabled POS systems should qualify for val-type 4, SAQ-C, notably less onerous than SAQ-D, as they do not store PANs after authorization. Larry Carlson's recommendations about sanitization of PANs in your cardholder data environment (CDE) would be good practice post-conversion, but not sufficient unless the behavior or use of the POS system was *also* changed. -jml
Blake Penn <BPenn () TRUSTWAVE COM> 2011-08-08 13:06 >>>
It is important to keep in mind that the different SAQs correspond to different levels of VALIDATION (as opposed to compliance). Your advice sounds reasonable, but some in this audience might mis-interpret "de-scoping" as applying to compliance rather than validation. De-scoping compliance requirements and de-scoping validation requirements are two completely different things. Blake Penn CISSP, MCSE, MCSD, MCDBA, QSA Principal Consultant Trustwave bpenn () trustwave com +1 (678) 685-1277 http://www.trustwave.com DISCLAIMER: The views represented in this message reflect the personal opinions of the author alone and do not neccessarily reflect the opinions of Trustwave. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Carson, Larry Sent: Friday, August 05, 2011 10:52 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations I would recommend descoping to SAQ C, if at all possible. This may mean updating data stores in a DB, sanitising (possibly even destroying) backups and logs, Santising email stores, etc. Just keep a record of all items sanitised, as it is a good record of your descoping exercise. WRT tracking compliance: spreadsheets, lots of them but we're considering a GRC solution to keep our sanity. Larry --- Larry Carson Associate Director, Information Security Management Information Technology | Engage. Envision. Enable. The University of British Columbia Tel: 604.822.0773 | Twitter: @L4rryC4rson ----- Original Message ----- From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Fri Aug 05 05:18:21 2011 Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations A 340 row Lovecraftian spreadsheet which causes those who stare into its depths to gibber in unholy madness. We call it The Beast. The 40+ columns track a lot of things, none of which are on any SAQ; vendors, manufacturers, contracts language status, versions, validation types, concessionnaires, CDE segmentation status, SAQ completion dates... About row 200 I realized this was a database problem, but our development staff is limited. -jml -----Original Message----- From: Doug Markiewicz - EDUCAUSE Sent: 2011-08-05 06:48:02 To: Doug Markiewicz - EDUCAUSE;The EDUCAUSE Security Constituent Group Listserv Cc: Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations
We are working with Trustwave to provide an online portal to track all information, scans, provide and track training, do external scans, fill out SAQs, etc.
I'm curious how others are organizing all their PCI compliance data, tracking training, etc. Manually? Through a software package or service provider? This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
Current thread:
- Re: Budget for PCI DSS SAQ D for Bookstore Operations, (continued)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations Henninger, Craig (Aug 03)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations Self, Dennis (Aug 03)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations Joel Rosenblatt (Aug 03)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations John Ladwig (Aug 03)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations Doug Markiewicz - EDUCAUSE (Aug 05)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations Henninger, Craig (Aug 03)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations John Ladwig (Aug 03)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations Brad Judy (Aug 05)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations Blake Penn (Aug 09)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations John Ladwig (Aug 09)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations Carson, Larry (Aug 09)