Educause Security Discussion mailing list archives

Re: PCI Compliance Efforts


From: "Radford, Jennifer" <jradford () INTAUDIT UBC CA>
Date: Fri, 14 Oct 2011 16:05:11 -0700

Different universities may have different initial compliance deadlines depending on what is agreed with their 
individual acquirers.  As a result, some areas may be in maintenance mode whilst other areas in the same institution 
are still trying to get initial compliance.   As part of our compliance process, individual merchants were becoming 
compliant at different dates and therefore some of them were moving into maintenance mode whilst other areas were still 
working towards compliance.

In answer to your question though, I was talking about both, 1). Becoming compliant and 2) maintaining a compliance 
status. Over this past year we have been developing an ongoing compliance program to help ensure we continue to manage 
our PCI related risks.   So I was just wondering how other folks were fairing with this task.

Cheers,

Jen

-----Original Message-----
From: John Ladwig [mailto:John.Ladwig () csu mnscu edu] 
Sent: Friday, October 14, 2011 3:35 PM
To: Radford, Jennifer; SECURITY () LISTSERV EDUCAUSE EDU
Subject: RE: [SECURITY] PCI Compliance Efforts

I'm interested in why you speak of PCI compliance in the past tense; do you mean the effort of initially achieving 
compliance?

If so, how's the ongoing compliance and self-assessment going?  Several reports suggest that even Level one merchants 
face a backsliding tendency between ROC events.

We have a boatload of Level four merchants, and pretty much all are struggling with first-compliance. 

    -jml 


-----Original Message-----
From: Radford, Jennifer
Sent: 2011-10-14 16:54:07
To: Radford, Jennifer;The EDUCAUSE Security Constituent Group Listserv
Cc: 
Subject: Re: [SECURITY] PCI Compliance Efforts


Hi Felecia,

I was thinking along the lines of whether people are actually fully compliant (overall for all merchants, i.e. for the 
institution), or (hopefully) substantially there.  We are a level 4 merchant with a mixture of SAQ A, B, C, and D 
levels and it was quite an effort to address PCI compliance requirements so I am just wondering how PCI was for the 
rest of the Higher ed world.

Cheers,
Jen

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Felecia 
Vlahos
Sent: Friday, October 14, 2011 2:49 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI Compliance Efforts

Jennifer,

Can you describe what you mean by "compliance efforts"?  1) Using a QSA, which ASV, project tools?  Or 2) merchant 
level, #MIDs, submitted attestations, compliance status, etc.?

For the set of questions in 2), this would be considered protected information, especially in a combined database.

Felecia Vlahos
ISO SDSU

On Fri, 14 Oct 2011 14:08:35 -0700, Radford, Jennifer <jradford () intaudit ubc ca<mailto:jradford () intaudit ubc ca>> 
wrote:

Hi,

I am trying to benchmark PCI compliance efforts across north American Higher Ed Institutions. I would be grateful if 
people could share their insights in this area.

Cheers,

Jenny

Jennifer Radford, Senior IT Audit Manager Internal Audit, UBC
6000 Iona Drive, Vancouver, BC Canada V6T 1L4
Phone:  604-822-6512
Fax:  604-822-9027
E-mail:  Jradford () intaudit ubc ca<mailto:Jradford () intaudit ubc ca>
Web:  www.intaudit.ubc.ca<http://www.intaudit.ubc.ca>
The information contained in this e-mail message is strictly confidential and intended solely for the use of the 
designated addressee(s). Any unauthorized viewing, disclosure, copying or distribution of this e-mail is prohibited and 
may be unlawful. If you have received this e-mail in error, please do not read it, reply to the sender immediately to 
inform us that you are not the intended recipient, and delete the e-mail from your computer system. Thank you.


Current thread: