Educause Security Discussion mailing list archives
Re: PCI Compliance Efforts
From: "Radford, Jennifer" <jradford () INTAUDIT UBC CA>
Date: Fri, 14 Oct 2011 16:05:11 -0700
Different universities may have different initial compliance deadlines depending on what is agreed with their individual acquirers. As a result, some areas may be in maintenance mode whilst other areas in the same institution are still trying to get initial compliance. As part of our compliance process, individual merchants were becoming compliant at different dates and therefore some of them were moving into maintenance mode whilst other areas were still working towards compliance. In answer to your question though, I was talking about both, 1). Becoming compliant and 2) maintaining a compliance status. Over this past year we have been developing an ongoing compliance program to help ensure we continue to manage our PCI related risks. So I was just wondering how other folks were fairing with this task. Cheers, Jen -----Original Message----- From: John Ladwig [mailto:John.Ladwig () csu mnscu edu] Sent: Friday, October 14, 2011 3:35 PM To: Radford, Jennifer; SECURITY () LISTSERV EDUCAUSE EDU Subject: RE: [SECURITY] PCI Compliance Efforts I'm interested in why you speak of PCI compliance in the past tense; do you mean the effort of initially achieving compliance? If so, how's the ongoing compliance and self-assessment going? Several reports suggest that even Level one merchants face a backsliding tendency between ROC events. We have a boatload of Level four merchants, and pretty much all are struggling with first-compliance. -jml -----Original Message----- From: Radford, Jennifer Sent: 2011-10-14 16:54:07 To: Radford, Jennifer;The EDUCAUSE Security Constituent Group Listserv Cc: Subject: Re: [SECURITY] PCI Compliance Efforts Hi Felecia, I was thinking along the lines of whether people are actually fully compliant (overall for all merchants, i.e. for the institution), or (hopefully) substantially there. We are a level 4 merchant with a mixture of SAQ A, B, C, and D levels and it was quite an effort to address PCI compliance requirements so I am just wondering how PCI was for the rest of the Higher ed world. Cheers, Jen From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Felecia Vlahos Sent: Friday, October 14, 2011 2:49 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI Compliance Efforts Jennifer, Can you describe what you mean by "compliance efforts"? 1) Using a QSA, which ASV, project tools? Or 2) merchant level, #MIDs, submitted attestations, compliance status, etc.? For the set of questions in 2), this would be considered protected information, especially in a combined database. Felecia Vlahos ISO SDSU On Fri, 14 Oct 2011 14:08:35 -0700, Radford, Jennifer <jradford () intaudit ubc ca<mailto:jradford () intaudit ubc ca>> wrote: Hi, I am trying to benchmark PCI compliance efforts across north American Higher Ed Institutions. I would be grateful if people could share their insights in this area. Cheers, Jenny Jennifer Radford, Senior IT Audit Manager Internal Audit, UBC 6000 Iona Drive, Vancouver, BC Canada V6T 1L4 Phone: 604-822-6512 Fax: 604-822-9027 E-mail: Jradford () intaudit ubc ca<mailto:Jradford () intaudit ubc ca> Web: www.intaudit.ubc.ca<http://www.intaudit.ubc.ca> The information contained in this e-mail message is strictly confidential and intended solely for the use of the designated addressee(s). Any unauthorized viewing, disclosure, copying or distribution of this e-mail is prohibited and may be unlawful. If you have received this e-mail in error, please do not read it, reply to the sender immediately to inform us that you are not the intended recipient, and delete the e-mail from your computer system. Thank you.
Current thread:
- PCI Compliance Efforts Radford, Jennifer (Oct 14)
- Re: PCI Compliance Efforts Felecia Vlahos (Oct 14)
- Re: PCI Compliance Efforts Radford, Jennifer (Oct 14)
- Re: PCI Compliance Efforts Felecia Vlahos (Oct 14)
- Re: PCI Compliance Efforts Radford, Jennifer (Oct 14)
- Re: PCI Compliance Efforts Hugh Burley (Oct 21)
- <Possible follow-ups>
- Re: PCI Compliance Efforts John Ladwig (Oct 14)
- Re: PCI Compliance Efforts Radford, Jennifer (Oct 14)
- Re: PCI Compliance Efforts Felecia Vlahos (Oct 14)