Re: PCI DSS Review - 40 Hours?

["Marcum, Chad A" <cmarcum () IU EDU>]

In 40 hours, I think I would try to figure out how many locations take credit cards. How do they take them (analog 
terminal, wifi terminal, Ethernet terminal, computer with a web browser, ...). Then find out how many transactions a 
year your institution does, and are they all under one MID?

That should let you know which merchant level you are, and what SAQ you need to fill out. There is still plenty of more 
work to do though. PCI SSC has a prioritized approach to PCI that is a good read, and reviewing the PCI DSS itself 
never hurts.

I'm happy to chat more off list, if you like.

Also as part of my two cents, I'd say don't let the non-edu members of the forum scare you with RoC and AoC talk.

Chad

Sent from my iPad

On Apr 24, 2012, at 12:31 PM, "Dan Sarazen" <dsarazen () BRANDEIS EDU<mailto:dsarazen () BRANDEIS EDU>> wrote:

Hi All,

I’ve been asked to conduct a PCI DSS review in 40 hours. Anyone think that’s responsibly doable?

Also, does anyone have a PCI DSS Audit plan?

Many Thanks!

Dan Sarazen
Senior IT Auditor
The Boston Consortium for Higher Education
Brandeis University, Mailstop 110
Phone: 781-736-8703
Cell:     781-296-4444
Fax:     781-736-8706