Educause Security Discussion mailing list archives
Re: PCI DSS Review - 40 Hours?
From: "Radford, Jennifer" <jradford () INTAUDIT UBC CA>
Date: Tue, 24 Apr 2012 10:13:49 -0700
Hi Dan, Of course you could do something in 40 hours but if that includes planning, fieldwork and reporting, I think the value it would add would be minimal. We have done several PCI reviews of the last few years including governance and project management reviews of the PCI initiative and compliance reviews. They ranged from about 10 days to 40 days. I would be happy to set up a conference call with you to share with you what we covered. Also, I am going to an ISACA presentation on emerging PCI trends today and will share the presentation materials if you are interested. cheers, Jen ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Lorenz, Eva [evalorenz () UNC EDU] Sent: April-24-12 10:11 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI DSS Review - 40 Hours? I agree that no solid review for PCIDSS can be done in a week. When I started on a PCIDSS review and focused just on the high risk merchants (that completed SAQ-D), I scheduled 3 hours to meet initially with everyone of these merchants and in several cases had follow-up meetings to go over workflow, environment and security controls. These meetings alone took more than 2 weeks and I am not nearly done with the SAQ-D group and have not really started on the other groups. If you have done a PCI review previously and need to assess PCIDSS compliance on a focused area due to a recent change, you can probably complete a very focus review in 40hours, but it will not cover all aspects of PCIDSS on the merchants in your environment. Eva Lorenz, Ph.D., J.D., ITILv3F ITS Security UNC Chapel Hill ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Drew Perry [aperry () MURRAYSTATE EDU] Sent: Tuesday, April 24, 2012 12:56 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI DSS Review - 40 Hours? Do you mean from the ground up? Has your organization begun/completed PCI compliance previously? I'm at the Treasury Institute's PCI workshop this week and I can say, unless you have very few Merchant ID's, and they're all SAQ A or B, then no. You won't complete it in 40 hours. My colleagues at the University of Kentucky have been working toward PCI compliance for 4 years. They're about 85% done. Sent from my phone. Drew Perry Security Analyst Murray State University (270) 809-4414 aperry () murraystate edu<mailto:aperry () murraystate edu> On Apr 24, 2012 12:31 PM, "Dan Sarazen" <dsarazen () brandeis edu<mailto:dsarazen () brandeis edu>> wrote: Hi All, I’ve been asked to conduct a PCI DSS review in 40 hours. Anyone think that’s responsibly doable? Also, does anyone have a PCI DSS Audit plan? Many Thanks! Dan Sarazen Senior IT Auditor The Boston Consortium for Higher Education Brandeis University, Mailstop 110 Phone: 781-736-8703<tel:781-736-8703> Cell: 781-296-4444<tel:781-296-4444> Fax: 781-736-8706<tel:781-736-8706>
Current thread:
- PCI DSS Review - 40 Hours? Dan Sarazen (Apr 24)
- Re: PCI DSS Review - 40 Hours? Drew Perry (Apr 24)
- Re: PCI DSS Review - 40 Hours? Lorenz, Eva (Apr 24)
- Re: PCI DSS Review - 40 Hours? Radford, Jennifer (Apr 24)
- Re: PCI DSS Review - 40 Hours? Lorenz, Eva (Apr 24)
- Re: PCI DSS Review - 40 Hours? Rich Graves (Apr 24)
- Re: PCI DSS Review - 40 Hours? Jon Young (Apr 24)
- Re: PCI DSS Review - 40 Hours? Dan Sarazen (Apr 24)
- Re: PCI DSS Review - 40 Hours? Michael Johnson (Apr 24)
- Re: PCI DSS Review - 40 Hours? Valdis Kletnieks (Apr 24)
- Re: PCI DSS Review - 40 Hours? Jon Young (Apr 25)
- Re: PCI DSS Review - 40 Hours? Dan Sarazen (Apr 24)
- Re: PCI DSS Review - 40 Hours? Brad Judy (Apr 24)
- Re: PCI DSS Review - 40 Hours? Drew Perry (Apr 24)
- Re: PCI DSS Review - 40 Hours? Marcum, Chad A (Apr 24)
- Re: PCI DSS Review - 40 Hours? Hugh Burley (Apr 26)
- <Possible follow-ups>
- Re: PCI DSS Review - 40 Hours? John Hoffoss (Apr 30)