Re: PCI DSS responses

[Brad Judy <win-hied () BRADJUDY COM>]

If you haven't checked them out, I highly recommend browsing the Educause
resources on PCI-DSS - http://www.educause.edu/Resources/Browse/PCIDSS/33405
It includes papers and presentations from a number of schools on the topic,
and links to resources like the Treasury Institute for Higher Education.
Unfortunately, the conference presentation PowerPoints often lack a lot of
the information discussed live in the session, but they usually have contact
info for follow-up.

If you're just starting down the compliance road, I'd check out the recently
updated doc on prioritized approach to PCI DSS -
https://www.pcisecuritystandards.org/education/prioritized.shtml

It's helpful to break down the requirements (and SAQs) by responsibility -
financial department, central IT, departmental management/IT, external
vendors (don't assume external vendors cover certain items, verify it with
them).  There will be areas of overlap and probably areas of debate.  This
is likely going to involve a lot of conversations about the degree of
outsourcing and/or centralization of card processing.  Each institution will
have its own distribution of responsibility.

I think the keys for successful compliance are understanding the requirement
themselves (the "Navigating PCI DSS" doc is great for this), identifying the
scope, and understanding where responsibilities lie.  While there may be a
lot of work to accomplish after those steps, you'll be a lot more likely to
put effort into the right places with a common institution-wide
understanding (and hopefully consensus) on those points.  Having a good
working relationship with your bank and an ASV/QSA is very helpful, and a
strong partnership between the financial and IT groups is critical.

While "best effort" isn't the rule for compliance here, you can bet that the
fine (and/or lawsuits) you'd receive after a breach will vary greatly based
on effort you put into card data security.

Oh, and when people get grumpy, just remind them that this isn't forced upon
them, it's part of a contract that the institution chooses to sign to allow
a certain type of business transaction to occur.  They can always avoid the
requirement entirely if they can do business without accepting credit card
payments, or if they think the benefit is not worth the expense.  :)

Brad Judy


> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian
> Sent: Thursday, June 11, 2009 4:58 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] PCI DSS responses
>
> Hi Everyone,
>
>  Thanks for all the responses on and off list.
>
>  For the last several years, our general stand on the DSS has been that
> adhering to it would be very costly and generally impractical, thus
> outsourcing combined with analog has been our method of choice. In that
light,
> it was very informative to get so many responses from what institutions
have
> been doing recently.
>
>  Generally, we heard from institutions that:
>    (a) never seriously considered adhering to the DSS due to perceived
issues
>    (b) did an in-depth analysis and avoided DSS due to cost
>    (c) believe they are currently following the DSS
>
>  We haven't yet heard back additional details from some of the
institutions
> who are following DSS. It would be interesting to get an idea for how all
40
> pages of compliance requirements are being managed, and at what cost. This
has
> to be the most challenging aspect of the DSS: unlike so many laws, "best
> effort" and "due diligence" simply aren't enough. It seems like an
impressive
> feat to achieve such a compliance expectation in higher education.
>
> ~~~~~~~~~~~~~~~~~~
> Brian Basgen
> Information Security
> Pima Community College
> Office: 520-206-4873