Educause Security Discussion mailing list archives

Re: PCI DSS University-Wide Compliance

From: "Lorenz, Eva" <evalorenz () UNC EDU>
Date: Wed, 30 Jan 2013 18:29:52 +0000

We have independent questionnaires from all merchants that roll up into university-wide questionnaires (only these end 
up being accessible to outside parties). We have split up merchants based on payment gateway and means of accepting 
credit cards (POS versus SAQ-D).

Ideally, we try to meet with each merchant individually, but staff resources are an issue. I have 30% time allocated to 
compliance in general (not just PCIDSS) and when I was tossed into PCI compliance, I took me a couple of months just to 
meet individually with SAQ-D merchants and analyze what we had on campus. Needless to say that cannot be repeated each 
year without sacrificing other projects.

I think SAQ-A and SAQ-B can be summarized easier than SAQ-D because our SAQ-D merchants have a multitude of software 
solutions, payment gateways etc. So I hope to get additional staff to work with these merchants and do annual visits re 
compliance. I would not want to assess SAQ-D compliance without looking at each individual questionnaire from merchants 
and reserve time to call and discuss issues. We simply have too much variety of simply answer a university 
questionnaire without relying on individual questionnaires. One battle I am fighting is the desire that I provide 
answers to specific sections and I have been resistant to do that because I don't want any changes to slide through 
because specific sections got pre-filled answers.

For SAQ-B we require analog lines and for SAQ-A we do check on staff regarding whether any credit cards were handled in 
person. This creates some uniformity, especially regarding risk.



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Carlos 
Lobato
Sent: Wednesday, January 30, 2013 1:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI DSS University-Wide Compliance


Hello All,



For those PCI DSS Compliance Gurus, how do you assure University-Wide PCI DSS compliance?



  1.  Do you ensure PCI DSS compliance for each merchant ID individually or do you take all merchant IDs for the 
University?
  2.  If individually, do you ONLY consider those transactions for compliance purposes?
  3.  How do you ensure/assure compliance for your University as a whole?

I would really appreciate any feedback I can get from experts as Audit Committees have a tendency to ask basic 
compliance questions and request global assurance.



I would also appreciate approches used at your University to address global compliance assurance or other general 
opinions, comments, etc.



Carlos



Carlos S. Lobato, CISA, CIA

IT Compliance Officer



New Mexico State University

Information and Communication Technologies

MSC 3AT PO Box 30001

Las Cruces, NM  88003



Phone (575) 646-5902

Fax (575) 646-5278

Current thread:

PCI DSS University-Wide Compliance Carlos Lobato (Jan 30)
- Re: PCI DSS University-Wide Compliance Lorenz, Eva (Jan 30)
- Re: PCI DSS University-Wide Compliance Dan Sarazen (Jan 30)
- Re: PCI DSS University-Wide Compliance John Ladwig (Jan 30)
- Re: PCI DSS University-Wide Compliance Barron Hulver (Jan 30)