Re: PCI Responsability

[Carlos S Lobato <clobato () NMSU EDU>]

At New Mexico State University, we have an official University Board called PCI DSS Compliance Committee with 
representatives from Controller, Treasury, Merchants including University Accounts Receivable and IT representatives 
from Networking, Applications, Systems and Security.  I am the chair of the committee and the committee reports 
progress annually to the Chancellor of the University.  This works very well, has backing from Executive Administration 
and compliance is taken seriously.

In my opinion, I don’t think is a good idea to have Finance or IT solely own it.  You the actual merchants involved as 
they have to operate according to PCI DSS requirements and once they understand the requirements they will implement 
them.  This is working very well for us.

Carlos

Carlos S. Lobato, CISSP, CISA, CIA, CPA
IT Compliance Officer (Chief Privacy Officer)

New Mexico State University
Information and Communication Technologies
MSC 3AT PO Box 30001
Las Cruces, NM  88003-8001

Phone: 575-646-5902
Fax: 575-646-5278

Email: clobato () nmsu edu<mailto:clobato () nmsu edu>
IT Compliance at NMSU - https://itcompliance.nmsu.edu/

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Lazarus, Carolann
Sent: Friday, April 6, 2018 1:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] PCI Responsability

Same here – IT advises (both security and technical) Controller and Financial Management under the VP Finance has 
ultimate responsibility.  We have a PCI compliance group that will soon morph into a standing PCI Compliance Committee 
that will have oversight responsibilities.

Carolann Lazarus
716-829-6947
lazarus () buffalo edu<mailto:lazarus () buffalo edu>

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Ken Connelly
Sent: Friday, April 6, 2018 12:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] PCI Responsability

IT Security advises on the technical aspects but the responsibility for compliance lies under the VP for Finance and 
Operations, specifically Business Operations and Cashiers offices.

- ken
On 4/6/18 10:18 AM, Ronald King wrote:
Good morning colleagues,

I wanted to reach out to you to ask what division or department in your institution is ultimately accountable for PCI 
compliance. Is it your IT, Finance or another department/division? Why?

Do you have a dedicated employee, contractor or team overseeing compliance to PCI?

As always, feel free to reach me directly.

Thank you and have a great weekend!
Ron
Ronald A. King, CISSP
Chief Information Security Officer
Morgan State University                                                                                     Office: 
(443) 885-3372
1700 E. Cold Spring Ln.                                                                                      Email: 
ronald.king () morgan edu<mailto:ronald.king () morgan edu>
Baltimore, MD 21251                                                                            URL:               
http://www.morgan.edu

                                             Growing the future ... Leading the 
world<http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf>



--

- Ken

=================================================================

Ken Connelly                       Director, Information Security

Information Security Officer          University of Northern Iowa

email: Ken.Connelly () uni edu<mailto:Ken.Connelly () uni edu>   p: (319) 273-5850 f: (319) 273-7373



Any request to divulge your UNI password via e-mail is fraudulent!