Educause Security Discussion mailing list archives
Re: PCI DSS University-Wide Compliance
From: John Ladwig <John.Ladwig () SO MNSCU EDU>
Date: Wed, 30 Jan 2013 18:59:37 +0000
I wouldn't say "assure", but to attest/track/make progress, I've used, for each business area/payment processing/CDE-handling area, the following: Yes No Percentage Complete or Count Gap SAQ Institution Campus Latest Campus Discussion Last SAQ Completed Min Max Avg SAQ Age (days) Select Merchant Level Goal Achieve Validation Type goal Confirmed Validation Type Status Reduce scanning scope to applicable systems Latest ASV Scan PCI Island Defined PCI Island Implemented Internal Scans Configured Business Area Validation Type Effective Validation Type POS Manufacturer POS Version POS Compliant In-scope Application Vendor Application Version In-scope applications PA-DSS validated Concessionaire environment present? Concessionaire name Concessionaire environment externalized Outsource Agreements Service Provider Service Provider Agreements Service Provider Applications Service Provider Validated Local Policies developed Employee Background Checks Performed (SAQ-D Only) Acquiring Bank(s) # Merchant agreements Merchant ID Code Bank requesting merchant compliance reporting? Contracted QSA Firm From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Carlos Lobato Sent: Wednesday, January 30, 2013 12:12 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI DSS University-Wide Compliance Hello All, For those PCI DSS Compliance Gurus, how do you assure University-Wide PCI DSS compliance? 1. Do you ensure PCI DSS compliance for each merchant ID individually or do you take all merchant IDs for the University? 2. If individually, do you ONLY consider those transactions for compliance purposes? 3. How do you ensure/assure compliance for your University as a whole? I would really appreciate any feedback I can get from experts as Audit Committees have a tendency to ask basic compliance questions and request global assurance. I would also appreciate approches used at your University to address global compliance assurance or other general opinions, comments, etc. Carlos Carlos S. Lobato, CISA, CIA IT Compliance Officer New Mexico State University Information and Communication Technologies MSC 3AT PO Box 30001 Las Cruces, NM 88003 Phone (575) 646-5902 Fax (575) 646-5278
Current thread:
- PCI DSS University-Wide Compliance Carlos Lobato (Jan 30)
- Re: PCI DSS University-Wide Compliance Lorenz, Eva (Jan 30)
- Re: PCI DSS University-Wide Compliance Dan Sarazen (Jan 30)
- Re: PCI DSS University-Wide Compliance John Ladwig (Jan 30)
- Re: PCI DSS University-Wide Compliance Barron Hulver (Jan 30)