Educause Security Discussion mailing list archives

Re: PCI DSS University-Wide Compliance

From: Dan Sarazen <dsarazen () BRANDEIS EDU>
Date: Wed, 30 Jan 2013 13:30:44 -0500

Hi Carlos,



I’ve completed a few reviews of PCI DSS compliance and I try to follow this
process:



1.       Have they completed their Self Assessment Questionnaire (and there
are multiple types, based on the processing environment) ? They must do so
annually, and if they haven’t they can’t KNOW they are compliant.

2.       If they have completed their SAQ, who completed it? Do they have
visibility into ALL areas conducting PCI processing (Alumni, athletics,
events, etc.)?

3.       If they have completed their SAQ and identified areas where
mitigating controls are required, who is following-up on those changes to
ensure they happen?

4.       Does the campus have a process for reviewing existing PCI
processing and approving new services or changes to existing processes?

5.       Are these procedures publicized and employees trained on their
practices?

6.       Do you have a campus-wide Information Security Policy? This is a
PCI DSS requirement, regardless of the processing environment.

7.       Does the campus (Or each decentralized area) have written PCI
procedures for both electronic copies and hardcopies?

8.       If you’ve identified your PCI DSS environments and segmented them
you are allowed to submit a separate SAQ for each environment.



PCI DSS is a compliance quagmire. Most schools try to keep PCI DSS
processing off their campus networks because, by having the activity on the
campus network, the entire campus network comes into scope for PCI DSS.



Two Resources:

https://www.pcisecuritystandards.org/security_standards/



and



http://pciguru.wordpress.com/



Good Luck and feel free to call my cell if you have specific questions.





Dan Sarazen

Senior IT Auditor

The Boston Consortium for Higher Education

Brandeis University, Mailstop 110

Phone: 781-736-8703

Cell:     781-296-4444

Fax:     781-736-8706









*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Carlos Lobato
*Sent:* Wednesday, January 30, 2013 1:12 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* PCI DSS University-Wide Compliance



Hello All,



For those PCI DSS Compliance Gurus, how do you assure University-Wide PCI
DSS compliance?



   1. Do you ensure PCI DSS compliance for each merchant ID individually or
   do you take all merchant IDs for the University?
   2. If individually, do you ONLY consider those transactions for
   compliance purposes?
   3. How do you ensure/assure compliance for your University as a whole?

I would really appreciate any feedback I can get from experts as Audit
Committees have a tendency to ask basic compliance questions and request
global assurance.



I would also appreciate approches used at your University to address global
compliance assurance or other general opinions, comments, etc.



Carlos



*Carlos S. Lobato, CISA, CIA*

*IT Compliance Officer*



*New Mexico State University*

Information and Communication Technologies

MSC 3AT PO Box 30001

Las Cruces, NM  88003



Phone (575) 646-5902

Fax (575) 646-5278

Current thread:

PCI DSS University-Wide Compliance Carlos Lobato (Jan 30)
- Re: PCI DSS University-Wide Compliance Lorenz, Eva (Jan 30)
- Re: PCI DSS University-Wide Compliance Dan Sarazen (Jan 30)
- Re: PCI DSS University-Wide Compliance John Ladwig (Jan 30)
- Re: PCI DSS University-Wide Compliance Barron Hulver (Jan 30)