Re: PCI DSS Review - 40 Hours?

["Radford, Jennifer" <jradford () INTAUDIT UBC CA>]

Hi Dan,

Of course you could do something in 40 hours but if that includes planning, fieldwork and reporting, I think the value 
it would add would be minimal.

We have done several PCI reviews of the last few years including governance and project management reviews of the PCI 
initiative and compliance reviews. They ranged from about 10 days to 40 days.

I would be happy to set up a conference call with you to share with you what we covered. Also, I am going to an ISACA 
presentation on emerging PCI trends today and will share the presentation materials if you are interested.

cheers,
Jen

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Lorenz, Eva 
[evalorenz () UNC EDU]
Sent: April-24-12 10:11 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI DSS Review - 40 Hours?

I agree that no solid review for PCIDSS can be done in a week. When I started on a PCIDSS review and focused just on 
the high risk merchants (that completed SAQ-D), I scheduled 3 hours to meet initially with everyone of these merchants 
and in several cases had follow-up meetings to go over workflow, environment and security controls.

These meetings alone took more than 2 weeks and I am not nearly done with the SAQ-D group and have not really started 
on the other groups.

If you have done a PCI review previously and need to assess PCIDSS compliance on a focused area due to a recent change, 
you can probably complete a very focus review in 40hours, but it will not cover all aspects of PCIDSS on the merchants 
in your environment.


Eva Lorenz, Ph.D., J.D., ITILv3F
ITS Security
UNC Chapel Hill
________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Drew Perry 
[aperry () MURRAYSTATE EDU]
Sent: Tuesday, April 24, 2012 12:56 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI DSS Review - 40 Hours?


Do you mean from the ground up? Has your organization begun/completed PCI compliance previously? I'm at the Treasury 
Institute's PCI workshop this week and I can say, unless you have very few Merchant ID's, and they're all SAQ A or B, 
then no. You won't complete it in 40 hours. My colleagues at the University of Kentucky have been working toward PCI 
compliance for 4 years. They're about 85% done.

Sent from my phone.

Drew Perry
Security Analyst
Murray State University
(270) 809-4414
aperry () murraystate edu<mailto:aperry () murraystate edu>

On Apr 24, 2012 12:31 PM, "Dan Sarazen" <dsarazen () brandeis edu<mailto:dsarazen () brandeis edu>> wrote:
Hi All,

I’ve been asked to conduct a PCI DSS review in 40 hours. Anyone think that’s responsibly doable?

Also, does anyone have a PCI DSS Audit plan?

Many Thanks!

Dan Sarazen
Senior IT Auditor
The Boston Consortium for Higher Education
Brandeis University, Mailstop 110
Phone: 781-736-8703<tel:781-736-8703>
Cell:     781-296-4444<tel:781-296-4444>
Fax:     781-736-8706<tel:781-736-8706>