Re: PCI Compliance Policies

[Curt Wilson <curtw () SIU EDU>]

What are other .edus doing in terms of staff resources for PCI
compliance? How are other security teams with limited staff handling the
demand of keeping up with existing work and dealing with everything else
that PCI brings to the table?

In the ideal environment much of the standard would have already been
applied, but I am not sure how many of us live in that ideal environment.

If someone is a level 4 vendor does that change the dates or
requirements? Or are they the same for everyone.

I will be doing some additional reading (RTFM) on this.

Thanks



Brad Judy wrote:
> We've been doing PCIDSS compliance actions for some time now, including
> quarterly scans from an approved vendor, annual self-assessment forms
> for each department, etc.
>
> We don't have a specific PCIDSS policy (although any systems that store
> CC#'s fall into our private data security policy) partially because, to
> me, it seems like any policy statement would end up saying "you must be
> compliant with applicable regulatory requirements".  As mentioned, it
> might be best to refer departments on campus to a combination of the
> direct PCI info and related existing campus policies.
>
> If you're new to this, the best place to start is with the currently
> applicable version of the PCIDSS standards (1.1), which can be found
> here:
>
> https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf
>
> Then you can move on to the numerous supporting documents here:
>
> https://www.pcisecuritystandards.org/tech/supporting_documents.htm
>
> Most notable of which, IMO, are the audit procedures, which give some
> more detail on the requirements:
>
> https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf
>
> And the self-assessment questionnaire, which someone in your school
> should already be filling out:
>
> https://www.pcisecuritystandards.org/pdfs/pci_saq_v1-0.pdf
>
> The above website also maintains the list of certified assessors and
> scanners.  Find ones that you feel comfortable with.
>
> Brad Judy
>
> IT Security Office
> University of Colorado at Boulder
>
> > -----Original Message-----
> > From: Sandford, Doug [mailto:doug () UA EDU]
> > Sent: Thursday, July 19, 2007 9:35 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] PCI Compliance Policies
> >
> > Has anyone developed policies related to the process of
> > becoming PCI compliant? Or perhaps links to some sources that
> > have already been developed? Not having to re-invent the
> > wheel would speed the certification process considerably.
> >
> > Thanks in advance.....
> >
> > Doug Sandford
> > University of Alabama
> > Office of Information Technology


--
Curt Wilson
IT Network Security Officer
Southern Illinois University Carbondale
618-453-6237

GnuPG key: http://www.infotech.siu.edu/security/curtw.pub.asc