Educause Security Discussion mailing list archives
Re: PCI
From: "Penn, Blake" <pennb () UWW EDU>
Date: Wed, 4 Oct 2006 10:47:30 -0500
I have not heard of any universities being fined for non-compliance yet - but who on Earth would want to publicize such information? Visa is only going to fine an institution when it both 1) discovers a breach and 2) when the institution is in a state of non-compliance during said breach. Even if a breach actually occurs, an institution may choose not to report it (although the practice of sweeping such incidents under the rug is probably changing now due to the proliferation of state breach disclosure laws). The chances of experiencing a breach of this information are, IMHO, very low compared to the other sources of potential data breach on campus. Just think about it; a centralized, hardened, access-controlled, processed-documented and closely monitored payment database versus an departmental Excel spreadsheet with student names and SSNs floating God knows where and with whom around your institution - which is really going to be a more likely point of data breach? Being anywhere near compliance with the PCI DSS in most cases and in most environments is going to mitigate your risk down to a very acceptable level - again these standards are from the financial sector which has far stricter security standards than almost all other sectors. So even if you are not in strict compliance, preventing an incident will likely go far to protect you against fines and other penalties. That being said, we aim for full compliance here and I think that it is a good goal for most institutions to do so. Switching gears, version 1.1 of the standards are out at their website (https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf) and the new version does contain a handful of non-trivial changes for those wanting to keep on top of this issue. ____________________________________________ Blake Penn, CISSP Information Security Officer University of Wisconsin-Whitewater (p) 262-472-7792 (f) 262-472-1285 pennb () uww edu | http://www.uww.edu/security/ -----Original Message----- From: Mclaughlin, Kevin L (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU] Sent: Wednesday, October 04, 2006 8:57 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI Hi: I have been asked to look into PCI (credit card) compliance for my university. I was wondering if anyone knew of documented cases where institutions of higher learning have been fined by VISA for non-compliance. Thanks, -Kevin Kevin L. McLaughlin CISSP, PMP, ITIL Master Certified Director, Information Security University of Cincinnati 513-556-9177 (w) 513-703-3211 (m) mclaugkl () ucmail uc edu CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential, intended solely for the addressee, and may be legally privileged. Access to this message and its content by any individual or entity other than those identified in this message is unauthorized. If you are not the intended recipient, any disclosure, copying or distribution of this e-mail may be unlawful. Any action taken or omitted due to the content of this message is prohibited and may be unlawful.
Attachment:
smime.p7s
Description:
Current thread:
- PCI Mclaughlin, Kevin L (mclaugkl) (Oct 04)
- <Possible follow-ups>
- Re: PCI Valdis Kletnieks (Oct 04)
- Re: PCI Theresa M Rowe (Oct 04)
- Re: PCI Conor McGrath (Oct 04)
- Re: PCI Brad Judy (Oct 04)
- Re: PCI Penn, Blake (Oct 04)
- Re: PCI Brad Judy (Oct 04)
- Re: PCI Jim Dillon (Oct 04)
- Re: PCI Mclaughlin, Kevin L (mclaugkl) (Oct 04)
- Re: PCI Steve Lovaas (Oct 05)