Re: PCI DSS Review - 40 Hours?

[Dan Sarazen <dsarazen () BRANDEIS EDU>]

Are you saying that nobody other than a formally certified pci compliance
expert (consultant) should review, in anyway, pci controls?
On Apr 24, 2012 3:25 PM, "Jon Young" <jon () network-plumbers com> wrote:

> If there is a breach at a member institution (I presume the audit is
> for one of the consortium members), you have to assume that they will
> be sued and the email you posted to this list will be found in
> discovery.  That email will be a great find for the attorney who will
> attempt to use it (I don't mean to suggest you aren't qualified, I
> have no idea if you are and I'm certainly not qualified) as an
> indication that you were not qualified (and knew it) to perform the
> PCI DSS review and thus are liable for a portion of the damages.
> My advice is to bring in someone who has done this before (perhaps a
> list member has a suggestion of someone local? - we're local but we
> don't do this) at least for some advice.
> As others have pointed out, the scale is hugely relevant to the time
> involved and the scale of your consortium members is widely divergent.
>
> Good luck,
> Jon Young
> Senior Consultant
> Vantage Technology Consulting Group
>
> On Tue, Apr 24, 2012 at 12:21 PM, Dan Sarazen <dsarazen () brandeis edu>
> wrote:
> > Hi All,
> >
> >
> >
> > I’ve been asked to conduct a PCI DSS review in 40 hours. Anyone think
> that’s
> > responsibly doable?
> >
> >
> >
> > Also, does anyone have a PCI DSS Audit plan?
> >
> >
> >
> > Many Thanks!
> >
> >
> >
> > Dan Sarazen
> >
> > Senior IT Auditor
> >
> > The Boston Consortium for Higher Education
> >
> > Brandeis University, Mailstop 110
> >
> > Phone: 781-736-8703
> >
> > Cell:     781-296-4444
> >
> > Fax:     781-736-8706