Educause Security Discussion mailing list archives
Re: PCI DSS Review - 40 Hours?
From: "Lorenz, Eva" <evalorenz () UNC EDU>
Date: Tue, 24 Apr 2012 17:11:21 +0000
I agree that no solid review for PCIDSS can be done in a week. When I started on a PCIDSS review and focused just on the high risk merchants (that completed SAQ-D), I scheduled 3 hours to meet initially with everyone of these merchants and in several cases had follow-up meetings to go over workflow, environment and security controls. These meetings alone took more than 2 weeks and I am not nearly done with the SAQ-D group and have not really started on the other groups. If you have done a PCI review previously and need to assess PCIDSS compliance on a focused area due to a recent change, you can probably complete a very focus review in 40hours, but it will not cover all aspects of PCIDSS on the merchants in your environment. Eva Lorenz, Ph.D., J.D., ITILv3F ITS Security UNC Chapel Hill ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Drew Perry [aperry () MURRAYSTATE EDU] Sent: Tuesday, April 24, 2012 12:56 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI DSS Review - 40 Hours? Do you mean from the ground up? Has your organization begun/completed PCI compliance previously? I'm at the Treasury Institute's PCI workshop this week and I can say, unless you have very few Merchant ID's, and they're all SAQ A or B, then no. You won't complete it in 40 hours. My colleagues at the University of Kentucky have been working toward PCI compliance for 4 years. They're about 85% done. Sent from my phone. Drew Perry Security Analyst Murray State University (270) 809-4414 aperry () murraystate edu<mailto:aperry () murraystate edu> On Apr 24, 2012 12:31 PM, "Dan Sarazen" <dsarazen () brandeis edu<mailto:dsarazen () brandeis edu>> wrote: Hi All, I’ve been asked to conduct a PCI DSS review in 40 hours. Anyone think that’s responsibly doable? Also, does anyone have a PCI DSS Audit plan? Many Thanks! Dan Sarazen Senior IT Auditor The Boston Consortium for Higher Education Brandeis University, Mailstop 110 Phone: 781-736-8703<tel:781-736-8703> Cell: 781-296-4444<tel:781-296-4444> Fax: 781-736-8706<tel:781-736-8706>
Current thread:
- PCI DSS Review - 40 Hours? Dan Sarazen (Apr 24)
- Re: PCI DSS Review - 40 Hours? Drew Perry (Apr 24)
- Re: PCI DSS Review - 40 Hours? Lorenz, Eva (Apr 24)
- Re: PCI DSS Review - 40 Hours? Radford, Jennifer (Apr 24)
- Re: PCI DSS Review - 40 Hours? Lorenz, Eva (Apr 24)
- Re: PCI DSS Review - 40 Hours? Rich Graves (Apr 24)
- Re: PCI DSS Review - 40 Hours? Jon Young (Apr 24)
- Re: PCI DSS Review - 40 Hours? Dan Sarazen (Apr 24)
- Re: PCI DSS Review - 40 Hours? Michael Johnson (Apr 24)
- Re: PCI DSS Review - 40 Hours? Valdis Kletnieks (Apr 24)
- Re: PCI DSS Review - 40 Hours? Jon Young (Apr 25)
- Re: PCI DSS Review - 40 Hours? Dan Sarazen (Apr 24)
- Re: PCI DSS Review - 40 Hours? Brad Judy (Apr 24)
- Re: PCI DSS Review - 40 Hours? Drew Perry (Apr 24)
- Re: PCI DSS Review - 40 Hours? Marcum, Chad A (Apr 24)
- Re: PCI DSS Review - 40 Hours? Hugh Burley (Apr 26)