Re: Budget for PCI DSS SAQ D for Bookstore Operations

["Bazeley, Joseph E." <bazeleje () MUOHIO EDU>]

Can you get them to use PCI DSS SAQ C instead?  SAQ D means that they're storing credit card numbers, which will make 
their PCI compliance effort require more resources and increases the likelihood of a breach leading to exposed credit 
card numbers and the associated notification.  If they don't have an extremely good reason to store those credit card 
numbers (and it needs to provide an associated benefit that outweighs the cost from doing so), they should quit storing 
them.

Regards,
Joe

Joe Bazeley
Information Security Officer
Miami University
Hoyt Hall 314
513-529-9252

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () listserv educause edu] On Behalf Of Self, 
Dennis
Sent: Tuesday, August 02, 2011 1:56 PM
To: SECURITY () listserv educause edu
Subject: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations

Security Friends,

Have you developed a budget for PCI DSS SAQ D compliance for your bookstore operation in the recent past?  For my 
institution, the bookstore may be the only operation that cannot be reasonably remediated to qualify for SAQ A or B.  
If you are willing to share your budget, please respond offline.  Also please let me know if I may identify you and 
your institution to our administration.  Lastly, if you reverted back in technology to dial terminals as a solution, 
please let me know.

Kind regards,

Dennis Self
Director, IT Security & Compliance
Technology Services
Samford University
(205) 726-2692