Re: PCI

["Penn, Blake" <pennb () UWW EDU>]

I have not heard of any universities being fined for non-compliance yet -
but who on Earth would want to publicize such information?  Visa is only
going to fine an institution when it both 1) discovers a breach and 2) when
the institution is in a state of non-compliance during said breach.  Even if
a breach actually occurs, an institution may choose not to report it
(although the practice of sweeping such incidents under the rug is probably
changing now due to the proliferation of state breach disclosure laws).

The chances of experiencing a breach of this information are, IMHO, very low
compared to the other sources of potential data breach on campus.  Just
think about it; a centralized, hardened, access-controlled,
processed-documented and closely monitored payment database versus an
departmental Excel spreadsheet with student names and SSNs floating God
knows where and with whom around your institution - which is really going to
be a more likely point of data breach?

Being anywhere near compliance with the PCI DSS in most cases and in most
environments is going to mitigate your risk down to a very acceptable level
- again these standards are from the financial sector which has far stricter
security standards than almost all other sectors.  So even if you are not in
strict compliance, preventing an incident will likely go far to protect you
against fines and other penalties.  That being said, we aim for full
compliance here and I think that it is a good goal for most institutions to
do so.

Switching gears, version 1.1 of the standards are out at their website
(https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf) and the new
version does contain a handful of non-trivial changes for those wanting to
keep on top of this issue.

____________________________________________
Blake Penn, CISSP
Information Security Officer
University of Wisconsin-Whitewater
(p) 262-472-7792 (f) 262-472-1285
pennb () uww edu | http://www.uww.edu/security/


-----Original Message-----
From: Mclaughlin, Kevin L (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU]
Sent: Wednesday, October 04, 2006 8:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI

Hi:

I have been asked to look into PCI (credit card) compliance for my
university.  I was wondering if anyone knew of documented cases where
institutions of higher learning have been fined by VISA for non-compliance.

Thanks,
-Kevin


Kevin L. McLaughlin
CISSP, PMP, ITIL Master Certified
Director, Information Security
University of Cincinnati
513-556-9177 (w)
513-703-3211 (m)
mclaugkl () ucmail uc edu




CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential,
intended solely for the addressee, and may be legally privileged. Access to
this message and its content by any individual or entity other than those
identified in this message is unauthorized. If you are not the intended
recipient, any disclosure, copying or distribution of this e-mail may be
unlawful. Any action taken or omitted due to the content of this message is
prohibited and may be unlawful.

Attachment: smime.p7s
Description: