Re: PCI DSS Review - 40 Hours?

[John Hoffoss <John.Hoffoss () SO MNSCU EDU>]

And if you ask more than one QSA, you'll get a variety of expert opinions to choose from!

If you're doing a PCI DSS review of an existing effort, and in one or two relatively constrained scopes, you can 
certainly get something put together that gets close. After all, a review for internal auditing purposes does not need 
the detail a QSA's attestation does. And as I'm hinting at above, QSAs all differ, because unfortunately PCI is still 
pretty much up to the individual interpreting the requirements. What satisfies one will not satisfy another. Focus 
instead on your PCI remediation efforts that realistically reduce the risk of breach, then go from there. Or rather, 
audit with that approach in mind--seek compliance to reduce risk, not to achieve compliance.

If you're trying to review *all* payment areas at an institution, you might want to either politely decline that 
request or suggest the time estimate be multiplied by 10 (to start) and put that on your next annual work plan.

Either way, it sounds like Jen's work plans may be useful for you, at least as a start.

-jth

On 24 Apr 2012, at 16:28 , Michael Johnson wrote:

Only a certified entity (QSA) can render expert opinion on satisfying the ROC.

There is also recommendation from the Council in various sections about separation of duties.
It requires a careful read.

Michael Johnson, CISSP, QSA, ASV
ComplyGuard Networks.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan 
Sarazen
Sent: Tuesday, April 24, 2012 5:16 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] PCI DSS Review - 40 Hours?


Are you saying that nobody other than a formally certified pci compliance expert (consultant) should review, in anyway, 
pci controls?

On Apr 24, 2012 3:25 PM, "Jon Young" <jon () network-plumbers com<mailto:jon () network-plumbers com>> wrote:
If there is a breach at a member institution (I presume the audit is
for one of the consortium members), you have to assume that they will
be sued and the email you posted to this list will be found in
discovery.  That email will be a great find for the attorney who will
attempt to use it (I don't mean to suggest you aren't qualified, I
have no idea if you are and I'm certainly not qualified) as an
indication that you were not qualified (and knew it) to perform the
PCI DSS review and thus are liable for a portion of the damages.
My advice is to bring in someone who has done this before (perhaps a
list member has a suggestion of someone local? - we're local but we
don't do this) at least for some advice.
As others have pointed out, the scale is hugely relevant to the time
involved and the scale of your consortium members is widely divergent.

Good luck,
Jon Young
Senior Consultant
Vantage Technology Consulting Group

On Tue, Apr 24, 2012 at 12:21 PM, Dan Sarazen <dsarazen () brandeis edu<mailto:dsarazen () brandeis edu>> wrote:
> Hi All,
>
>
>
> I’ve been asked to conduct a PCI DSS review in 40 hours. Anyone think that’s
> responsibly doable?
>
>
>
> Also, does anyone have a PCI DSS Audit plan?