Educause Security Discussion mailing list archives

Re: PCI DSS University-Wide Compliance

From: John Ladwig <John.Ladwig () SO MNSCU EDU>
Date: Wed, 30 Jan 2013 18:59:37 +0000

I wouldn't say "assure", but to attest/track/make progress, I've used, for each business area/payment 
processing/CDE-handling area, the following:



Yes

No

Percentage Complete or Count

Gap SAQ







Institution







Campus







Latest Campus Discussion







Last SAQ Completed















Min

Max

Avg

SAQ Age (days)













Select Merchant Level Goal







Achieve Validation Type goal







Confirmed Validation Type Status







Reduce scanning scope to applicable systems







Latest ASV Scan







PCI Island Defined







PCI Island Implemented







Internal Scans Configured







Business Area







Validation Type







Effective Validation Type







POS Manufacturer







POS Version







POS Compliant







In-scope Application Vendor







Application Version







In-scope applications PA-DSS validated







Concessionaire environment present?







Concessionaire name







Concessionaire environment externalized







Outsource Agreements







Service Provider







Service Provider Agreements







Service Provider Applications







Service Provider Validated







Local Policies developed







Employee Background Checks Performed (SAQ-D Only)







Acquiring Bank(s)







# Merchant agreements







Merchant ID Code







Bank  requesting merchant compliance reporting?







Contracted QSA Firm









From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Carlos 
Lobato
Sent: Wednesday, January 30, 2013 12:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI DSS University-Wide Compliance


Hello All,



For those PCI DSS Compliance Gurus, how do you assure University-Wide PCI DSS compliance?



  1.  Do you ensure PCI DSS compliance for each merchant ID individually or do you take all merchant IDs for the 
University?
  2.  If individually, do you ONLY consider those transactions for compliance purposes?
  3.  How do you ensure/assure compliance for your University as a whole?

I would really appreciate any feedback I can get from experts as Audit Committees have a tendency to ask basic 
compliance questions and request global assurance.



I would also appreciate approches used at your University to address global compliance assurance or other general 
opinions, comments, etc.



Carlos



Carlos S. Lobato, CISA, CIA

IT Compliance Officer



New Mexico State University

Information and Communication Technologies

MSC 3AT PO Box 30001

Las Cruces, NM  88003



Phone (575) 646-5902

Fax (575) 646-5278

Current thread:

PCI DSS University-Wide Compliance Carlos Lobato (Jan 30)
- Re: PCI DSS University-Wide Compliance Lorenz, Eva (Jan 30)
- Re: PCI DSS University-Wide Compliance Dan Sarazen (Jan 30)
- Re: PCI DSS University-Wide Compliance John Ladwig (Jan 30)
- Re: PCI DSS University-Wide Compliance Barron Hulver (Jan 30)