Educause Security Discussion mailing list archives
Fw: PCI Compliance Policies
From: Nick Fasano <Nick_Fasano () RAPID7 COM>
Date: Thu, 19 Jul 2007 13:53:07 -0400
As a PCI vendor, I do not want to promote my services or my organization but I think information is key. Rapid7 LLC is an ASV (Authorized Scanning Vendor) for PCI compliance. The PCI security council requires vendors to standardize their services around PCI and pass some serious test in the MasterCard Security Lab in Europe. There are some very basic requirements that merchants need to follow that take card data: 1. Quarterly vulnerability scans performed by an ASV. 2. Annual Penetration test performed by a third party vendor. Your qtrly scans need to follow the PCI standard templates and are provided to your Acquiring Bank or processor. The ASV is required to provide this data to you (as a merchant) as well. Rapid7 offers 2 types of services around PCI. 1. Is a managed service approach with Professional Services running the quarterly scans. 2. A self service portal that a merchant can run the third party scans on their own: pci.rapid7.com Nick Fasano Rapid7 LLC 617 247 1717 Office 857 288 7411 Direct IP Phone 866 7 RAPID7 (866 772 7437) 781 640 7945 Mobile 617 507 6488 Fax nick_fasano () rapid7 com http://www.rapid7.com/pressreleases/carnegiemellon.jsp NeXpose - Winner of SC Magazine Awards "Best Vulnerability Management" Product of 2007. ----- Forwarded by Nick Fasano/Rapid7/US on 07/19/2007 01:41 PM ----- Theresa M Rowe <rowe () OAKLAND EDU> 07/19/2007 01:30 PM Please respond to rowe To: SECURITY () LISTSERV EDUCAUSE EDU cc: Subject: Re: PCI Compliance Policies The date doesn't appear on the PCI site, but our bank and other orgs are giving this date - For example http://www.gfi.com/security/pci.htm Furthermore, PCI DSS compliance needs to be achieved by September, 2007 – this is the deadline posed by credit card companies. Organizations that fail to comply face fines of up to $500,000 if the data is lost or stolen and risk not being allowed to handle cardholder data. http://searchsmb.bitpipe.com/detail/RES/1178314942_651.html Most retailers and solutions providers believe that September, 2007 will be the true deadline after which Visa will begin levying fines on acquirers whose merchants who are not compliant with the standard. ---- Original message ----
Date: Thu, 19 Jul 2007 12:20:04 -0500 From: Roger Safian <r-safian () northwestern edu> Subject: Re: [SECURITY] PCI Compliance Policies To: rowe () oakland edu, SECURITY () LISTSERV EDUCAUSE EDU At 12:14 PM 7/19/2007, Theresa M Rowe put fingers to keyboard and wrote:Is ANYONE going to be compliant by the September deadline?? Did you use
a
consultant to get there?What is the September deadline? I thought compliance was supposed to
start
on 1/1/06? FWIW, we're still working on compliance...it's pretty time consuming. -- Roger A. Safian r-safian () northwestern edu (email) public key available on many key
servers.
(847) 491-4058 (voice) (847) 467-6500 (Fax) "You're never too old to have a great childhood!"
Theresa Rowe Assistant Vice President University Technology Services www.oakland.edu/uts - the latest news from University Technology Services
Attachment:
PCI Compliance Flyer.pdf
Description:
Current thread:
- PCI Compliance Policies Sandford, Doug (Jul 19)
- <Possible follow-ups>
- Re: PCI Compliance Policies Brewer, Alex D (Jul 19)
- Re: PCI Compliance Policies Penn, Blake (Jul 19)
- Re: PCI Compliance Policies Chuck Dunn (Jul 19)
- Re: PCI Compliance Policies Theresa M Rowe (Jul 19)
- Re: PCI Compliance Policies Roger Safian (Jul 19)
- Re: PCI Compliance Policies Theresa M Rowe (Jul 19)
- Re: PCI Compliance Policies Doug Markiewicz (Jul 19)
- Fw: PCI Compliance Policies Nick Fasano (Jul 19)
- Re: PCI Compliance Policies Penn, Blake (Jul 19)
- Re: PCI Compliance Policies Roger Safian (Jul 19)
- Re: PCI Compliance Policies Jones, Dan (Jul 19)
- Re: PCI Compliance Policies Brad Judy (Jul 19)
- Re: Fw: PCI Compliance Policies Brad Judy (Jul 19)
- Re: Fw: PCI Compliance Policies Roger Safian (Jul 19)
- Re: PCI Compliance Policies Curt Wilson (Jul 26)
- Re: PCI Compliance Policies Brad Judy (Jul 26)
- Re: PCI Compliance Policies Scott O. Bradner (Jul 31)
- Re: PCI Compliance Policies Scott O. Bradner (Jul 31)