Educause Security Discussion mailing list archives
Re: Budget for PCI DSS SAQ D for Bookstore Operations
From: "Carson, Larry" <larry.carson () UBC CA>
Date: Mon, 8 Aug 2011 13:03:07 -0700
The de-scoping exercise starts with a review of your business processes to determine if you truly need to store PAN data. Should you determine that it's not necessary, then you need to redesign your business processes and then sanitize your DBs, systems and backups of all stored PAN data. We started with 15 merchants all certain that they needed to store PAN data and all categorised as SAQ-D; when we discussed costs of compliance as a SAQ-D merchant, and what each would be responsible for, 13 of the merchants found ways to de-scope (with assistance from our QSA) to SAQ-C or lower. In the end we had only two merchants that had a strong business case to be SAQ-D and those 2 went through major architectural redesigns of their business processes and technological solutions, in order to further limit which components would be in-scope for their SAQ-D process. By doing that they were able to segment sections of their processes to SAQ-C, with the approval of the QSA and the acquirer. At the end of the day you will always need sign-off from your acquirer on these scope-reduction and/or limitation exercises and it is in this capacity that your QSA should help you craft the email request to the acquirer (as well as the underlying process) in order to give you the highest chance of obtaining their approval in writing. Regards, Larry Carson Associate Director, Information Security Management, UBC -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John Ladwig Sent: August-08-11 12:50 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations A good point. Perhaps an example would be helpful. We've had a number of campus bookstore merchants move from val-type-5 (SAQ-D) to val-type-3 (SAQ-B) by changing operational practice from swiping cards through a bookstore POS which would otherwise store PANs after authorization, and instead install and use dialout POTS terminals (on Centrex lines, not internal PBX lines), changing the bookstore's PCI compliance obligations. It seems like (and several QSAs have opined that) tokenization-enabled POS systems should qualify for val-type 4, SAQ-C, notably less onerous than SAQ-D, as they do not store PANs after authorization. Larry Carlson's recommendations about sanitization of PANs in your cardholder data environment (CDE) would be good practice post-conversion, but not sufficient unless the behavior or use of the POS system was *also* changed. -jml
Blake Penn <BPenn () TRUSTWAVE COM> 2011-08-08 13:06 >>>
It is important to keep in mind that the different SAQs correspond to different levels of VALIDATION (as opposed to compliance). Your advice sounds reasonable, but some in this audience might mis-interpret "de-scoping" as applying to compliance rather than validation. De-scoping compliance requirements and de-scoping validation requirements are two completely different things. Blake Penn CISSP, MCSE, MCSD, MCDBA, QSA Principal Consultant Trustwave bpenn () trustwave com +1 (678) 685-1277 http://www.trustwave.com DISCLAIMER: The views represented in this message reflect the personal opinions of the author alone and do not neccessarily reflect the opinions of Trustwave. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Carson, Larry Sent: Friday, August 05, 2011 10:52 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations I would recommend descoping to SAQ C, if at all possible. This may mean updating data stores in a DB, sanitising (possibly even destroying) backups and logs, Santising email stores, etc. Just keep a record of all items sanitised, as it is a good record of your descoping exercise. WRT tracking compliance: spreadsheets, lots of them but we're considering a GRC solution to keep our sanity. Larry --- Larry Carson Associate Director, Information Security Management Information Technology | Engage. Envision. Enable. The University of British Columbia Tel: 604.822.0773 | Twitter: @L4rryC4rson ----- Original Message ----- From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Fri Aug 05 05:18:21 2011 Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations A 340 row Lovecraftian spreadsheet which causes those who stare into its depths to gibber in unholy madness. We call it The Beast. The 40+ columns track a lot of things, none of which are on any SAQ; vendors, manufacturers, contracts language status, versions, validation types, concessionnaires, CDE segmentation status, SAQ completion dates... About row 200 I realized this was a database problem, but our development staff is limited. -jml -----Original Message----- From: Doug Markiewicz - EDUCAUSE Sent: 2011-08-05 06:48:02 To: Doug Markiewicz - EDUCAUSE;The EDUCAUSE Security Constituent Group Listserv Cc: Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations
We are working with Trustwave to provide an online portal to track all information, scans, provide and track training, do external scans, fill
out SAQs, etc. I'm curious how others are organizing all their PCI compliance data, tracking training, etc. Manually? Through a software package or service provider? This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
Attachment:
smime.p7s
Description:
Current thread:
- Re: Budget for PCI DSS SAQ D for Bookstore Operations, (continued)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations Self, Dennis (Aug 03)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations Joel Rosenblatt (Aug 03)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations John Ladwig (Aug 03)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations Doug Markiewicz - EDUCAUSE (Aug 05)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations John Ladwig (Aug 03)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations Brad Judy (Aug 05)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations Blake Penn (Aug 09)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations John Ladwig (Aug 09)
- Re: Budget for PCI DSS SAQ D for Bookstore Operations Carson, Larry (Aug 09)