Educause Security Discussion mailing list archives

Re: PCI compliance

From: Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>
Date: Wed, 26 Mar 2008 06:42:01 -0700

Lee,

Here are a couple of guidance documents that are available on the site
that Ken references below, but are the most helpful as a "quick list".
We do a lot of assistance with prepping an organization for PCI
Compliance, due to the work we do with other compliance exercises.  (PCI
ends up following the same "industry best practices" that FERPA, HIPAA,
FISMA, and all the others provide.  In order to maintain our
independence, we partner with ControlCase to act as the external
auditor, as ControlCase is a Qualified Security Assessor.

So, let me tell you what I have attached:

1)  https://www.pcisecuritystandards.org/pdfs/pci_saq_v1-0.pdf

These are the self assessment questions.  Just an FYI, if you have
questions about filling this out, let me know.  Also, don't panic if you
don't have everything.  We often end up finding compensating controls to
cover some items.

2)
https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf

These are the audit procedures that will be used by the assessor when
they arrive on site.  Again, there are some opportunities for
compensating controls.

I hope this helps, and please feel free to call/email if you have any
other questions.  (I have a copy of the audit procedures in word format
that can be edited, if you need it.  (The one posted online is
protected.)

Regards,

Sarah Stevens
Stevens Technologies
(704) 625-8842 x500

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ken Connelly
Sent: Wednesday, March 26, 2008 9:10 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI compliance

https://www.pcisecuritystandards.org/ is the official source.  
Everything (and more) that you need to know can be found there.

- ken

Lee Weers wrote:


We discovered a department on campus that is still processing credit 
cards, and I am looking for a contact who would be willing to discuss 
the steps we need to perform to become PCI compliant.  I am looking 
the questions we need to ask from the department, and then the initial

basic steps we need to perform now, until we get all of the 
documentation found and filled out.

Thank you,
 
Lee Weers
Assistant Director for Network Services
Central College IT Services
(641) 628-7675


-- 
- Ken
=================================================================
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373

Current thread:

PCI compliance Lee Weers (Mar 26)
- <Possible follow-ups>
- Re: PCI compliance Ken Connelly (Mar 26)
- Re: PCI compliance Hatala, Jeffrey (Mar 26)
- Re: PCI compliance Sarah Stevens (Mar 26)