Educause Security Discussion mailing list archives
Re: PCI DSS responses
From: Brad Judy <win-hied () BRADJUDY COM>
Date: Fri, 12 Jun 2009 10:07:47 -0400
If you haven't checked them out, I highly recommend browsing the Educause resources on PCI-DSS - http://www.educause.edu/Resources/Browse/PCIDSS/33405 It includes papers and presentations from a number of schools on the topic, and links to resources like the Treasury Institute for Higher Education. Unfortunately, the conference presentation PowerPoints often lack a lot of the information discussed live in the session, but they usually have contact info for follow-up. If you're just starting down the compliance road, I'd check out the recently updated doc on prioritized approach to PCI DSS - https://www.pcisecuritystandards.org/education/prioritized.shtml It's helpful to break down the requirements (and SAQs) by responsibility - financial department, central IT, departmental management/IT, external vendors (don't assume external vendors cover certain items, verify it with them). There will be areas of overlap and probably areas of debate. This is likely going to involve a lot of conversations about the degree of outsourcing and/or centralization of card processing. Each institution will have its own distribution of responsibility. I think the keys for successful compliance are understanding the requirement themselves (the "Navigating PCI DSS" doc is great for this), identifying the scope, and understanding where responsibilities lie. While there may be a lot of work to accomplish after those steps, you'll be a lot more likely to put effort into the right places with a common institution-wide understanding (and hopefully consensus) on those points. Having a good working relationship with your bank and an ASV/QSA is very helpful, and a strong partnership between the financial and IT groups is critical. While "best effort" isn't the rule for compliance here, you can bet that the fine (and/or lawsuits) you'd receive after a breach will vary greatly based on effort you put into card data security. Oh, and when people get grumpy, just remind them that this isn't forced upon them, it's part of a contract that the institution chooses to sign to allow a certain type of business transaction to occur. They can always avoid the requirement entirely if they can do business without accepting credit card payments, or if they think the benefit is not worth the expense. :) Brad Judy
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian Sent: Thursday, June 11, 2009 4:58 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI DSS responses Hi Everyone, Thanks for all the responses on and off list. For the last several years, our general stand on the DSS has been that adhering to it would be very costly and generally impractical, thus outsourcing combined with analog has been our method of choice. In that
light,
it was very informative to get so many responses from what institutions
have
been doing recently. Generally, we heard from institutions that: (a) never seriously considered adhering to the DSS due to perceived
issues
(b) did an in-depth analysis and avoided DSS due to cost (c) believe they are currently following the DSS We haven't yet heard back additional details from some of the
institutions
who are following DSS. It would be interesting to get an idea for how all
40
pages of compliance requirements are being managed, and at what cost. This
has
to be the most challenging aspect of the DSS: unlike so many laws, "best effort" and "due diligence" simply aren't enough. It seems like an
impressive
feat to achieve such a compliance expectation in higher education. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College Office: 520-206-4873
Current thread:
- PCI DSS responses Basgen, Brian (Jun 11)
- <Possible follow-ups>
- Re: PCI DSS responses Basgen, Brian (Jun 11)
- Re: PCI DSS responses Brad Judy (Jun 12)