Educause Security Discussion mailing list archives

Re: PCI Compliance Policies

From: Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>
Date: Thu, 19 Jul 2007 13:41:50 -0400

If you haven't already, you may want to review some of the information
EDUCAUSE has available:

http://connect.educause.edu/term_view/PCI%2BDSS

If you have a copy of Information Security Policies Made Easy,
InformationShield (the publisher) has a PCI mapping available.

http://www.informationshield.com/PCIStandardPolicyMap.pdf

I've gone through the exercise of creating generic PCI policies purely for
the sake of compliance with PCI (at the request of a client).  Not something
I would recommend.  Better off identifying policy requirements within the
standard, mapping those requirements against your existing policies,
identifying gaps and then taking steps to fill those gaps.  That is a lot
easier said than done though.  :)

Here's a few university resources I found after a quick google search:

http://controller.nd.edu/policies-and-procedures/credit_card_support_program
/PaymentCardPolicy.shtml

http://www.uiowa.edu/%7Efustreas/Credit%20Card%20Handling%20Policies%20and%2
0Procedures.pdf

http://www.security.duke.edu/pci.html


Also probably worth posting to the Policy and Law list.  Hope this helps!



-----Original Message-----
From: Brewer, Alex D [mailto:Brewerad () MONTEVALLO EDU]
Sent: Thursday, July 19, 2007 12:11 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI Compliance Policies

Doug,

The compliance is based on the number of transactions you process.
http://www.pcicomplianceguide.org/aboutpcicompliance.html


Alex Brewer
Network Specialist
University of Montevallo
Computer Services
205-665-8474
-----Original Message-----
From: Sandford, Doug [mailto:doug () UA EDU]
Sent: Thursday, July 19, 2007 10:35 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI Compliance Policies

Has anyone developed policies related to the process of becoming PCI
compliant? Or perhaps links to some sources that have already been
developed? Not having to re-invent the wheel would speed the
certification process considerably.

Thanks in advance.....

Doug Sandford
University of Alabama
Office of Information Technology

Current thread:

PCI Compliance Policies Sandford, Doug (Jul 19)
- <Possible follow-ups>
- Re: PCI Compliance Policies Brewer, Alex D (Jul 19)
- Re: PCI Compliance Policies Penn, Blake (Jul 19)
- Re: PCI Compliance Policies Chuck Dunn (Jul 19)
- Re: PCI Compliance Policies Theresa M Rowe (Jul 19)
- Re: PCI Compliance Policies Roger Safian (Jul 19)
- Re: PCI Compliance Policies Theresa M Rowe (Jul 19)
- Re: PCI Compliance Policies Doug Markiewicz (Jul 19)
- Fw: PCI Compliance Policies Nick Fasano (Jul 19)
- Re: PCI Compliance Policies Penn, Blake (Jul 19)
- Re: PCI Compliance Policies Roger Safian (Jul 19)
- Re: PCI Compliance Policies Jones, Dan (Jul 19)
- Re: PCI Compliance Policies Brad Judy (Jul 19)
- Re: Fw: PCI Compliance Policies Brad Judy (Jul 19)
- Re: Fw: PCI Compliance Policies Roger Safian (Jul 19)
- Re: PCI Compliance Policies Curt Wilson (Jul 26)
- Re: PCI Compliance Policies Brad Judy (Jul 26)
- Re: PCI Compliance Policies Scott O. Bradner (Jul 31)

(Thread continues...)