Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PCI DSS and level 2 merchants

From: Tom Davis <tdavis () IU EDU>
Date: Wed, 15 Jul 2009 10:40:28 -0400
I wanted to point out one particular post on the Treasury Institute's
blog.  The PCI Council has opened feedback on the PCI-DSS v1.2 as well
as PA-DSS v1.2 standards.  Now is the time for us (higher education)
to make suggestions.  You can find the blog post, as well as
instructions on how to provide feedback to the Council, here:

http://treasuryinstitute.org/blog/index.php?itemid=265

Sincerely,

--
Tom Davis, CISSP, CISM
Chief Information Security Officer
Information and Infrastructure Assurance
Office of the VP for Information Technology and CIO
Indiana University
https://informationsecurity.iu.edu/Tom_Davis


On Jun 26, 2009, at 2:12 PM, Brad Judy wrote:


I hadn't seen this topic discussed on either of these lists yet, so I
thought I'd send out a note.  Forgive me for the cross-post, but
it's a
topic right on the border of these discussion groups.

Earlier this month, MasterCard announced revised rules for PCI-DSS
compliance.  In particular, level 2 merchants are now required to
have an
external QSA (qualified security assessor) perform an annual ROC
(report on
compliance), rather than self assess.  Level 2 merchants are
required to
have their first ROC by the end of 2010.

All of this brings up speculation about impact to merchants: will it
motivate more outsourcing to get below level 2, how much financial
burden
does it bring, and how much non-compliance will it bring to light?
Then
there's the impact to assessors: how busy will QSA's be, will there
be rapid
growth in the QSA market, and will the quality of QSA's be impacted
(assuming a lot of rookies are brought into play to cover the
increased
needs)?

For tracking PCI issues in higher ed, the Treasury Institute has a
nice blog
with RSS feed option here: http://treasuryinstitute.org/blog/

Worth noting is this blog posting (linked from the above blog) -
http://blogs.verisign.com/securityconvergence/2009/06/the_final_word_on_mast
ercards.php which mentions that the MasterCard level 2 definition
includes
the level 2 definitions of other brands, meaning 50,000 American
Express
transactions puts you into level 2.

And, never forget, that it's all about what your bank expects of
you.  Make
sure you know what level your bank considers you, and what they
expect from
you.

Brad Judy
Previous By Date Next
Previous By Thread Next

Current thread: