Re: PCI 3.0 compliance

[Kevin Halgren <kevin.halgren () WASHBURN EDU>]

I'm not the most knowledgeable on the board on PCI, but I can tell you it's not uncommon for it look a mess, 
unfortunately, when you have someone else come in and review compliance status.  There is often a lot of individual 
interpretation, whether you're having a QSA do it or are performing a self-assessment.  On a practical level you have 
to marry technical compliance with actual risk-management and best practices since PCI compliance alone isn't really 
enough to ensure you're operating in a secure manner.

Business processes are often more troublesome than technical issues, in my experience.  We can manage technology pretty 
well, but people are another issue.  

PCI always has the provision of "Compensating Controls" in lieu of a straight PASS based on the particular criteria.  
From what I've seen, some people use them a lot, some people don't seem to ever accept them.  It depends on the QSA and 
the organizational personnel.

Personally I'm looking forward to Point-to-Point encryption (P2PE) to be more broadly supported, it eliminates a 
tremendous amount of PCI exposure.  

In your situation, if you see some obvious "fix it now!" issues, get those taken care of.  Beyond that, in my opinion 
your time and energy are best spent understanding the processes - both technical and business - and documenting a list 
of known issues, then coming up with an overall plan to address them which prioritizes high risk and quick-fix items.  
You may find issues that are broadly common - i.e. a bit of training that hasn't been done for a broad swath of users.  
It will be more efficient to address these all together in one training program than to tackle them one at a time - and 
developing and implementing a plan instead of trying to act as a firefighter will go down a lot better with the powers 
that be.  Also remember that if you don't build executive support, you will never get anywhere no matter how much you 
yell and pound the table.

One thing I've learned in my years in IT is that no matter how good (or otherwise) someone may have been in their job, 
there's always a period of "what the hell were they thinking?" when someone new comes on board and starts to review 
their predecessors work and get oriented themselves.  If you look deeper, there may have been a logic to it that's not 
apparent at first glance, or the reasons may be lost to time, or you've simply found a weakness in some else's skillset 
or priorities that may need to be addressed.  People do the same when you change positions as well, it's human nature.  
Understand your organization and build a system that works well with it, identify risks, and establish priorities.  
Even the best system will never eliminate the weaknesses inherent in human nature or in computer systems, but a good 
system will help mitigate them and make progress reducing your organizational risk profile.

Kevin

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin 
Reedy
Sent: Wednesday, February 25, 2015 7:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI 3.0 compliance

Hi Chris,

I'm new here at Excelsior, and I have inherited a bit of a mess when it comes to PCI.

Specifically I have found that previously we certified as PASS on several items that we should not have.  If you have 
any knowledge of how the items are scored, and if there is a threshold for compliance when everything is not simply 
'PASS' I'd love to pick your brain about it.

-Kevin

Kevin Reedy
Executive Director, Information Security Excelsior College
(518) 464-8720




From:   Chris Green <CGreen () UTTYLER EDU>
To:     SECURITY () LISTSERV EDUCAUSE EDU,
Date:   02/06/2015 12:18 PM
Subject:        Re: [SECURITY] PCI 3.0 compliance
Sent by:        The EDUCAUSE Security Constituent Group Listserv
            <SECURITY () LISTSERV EDUCAUSE EDU>



We are in the midst of it as well. If you would like to discuss offline, please shoot me an email.

Thanks,

-C.


Chris Green
Director of Information Security
University of Texas at Tyler
cgreen () uttyler edu



From: The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Shamblin, Quinn
Sent: Friday, February 06, 2015 11:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI 3.0 compliance

We are in the process of that.  Feel free to reach out to me privately.
qrs () bu edu

Best,

Quinn R Shamblin                                                  .
Executive Director of Information Security, Boston University

From: The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Alex 
Jalso
Sent: Thursday, February 05, 2015 3:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI 3.0 compliance

Hello Everyone,

Has anyone started or completed a project regarding PCI 3.0 compliance?  If so, would you be willing to answer a few 
questions and / or have a conversation about it?  Thanks.

Alex

Alex Jalso, PMP, CISM
Director Information Security Services
West Virginia University
p: 304-293-4457



This message and any attachments contain confidential  Excelsior College information intended for the specific 
individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. 
Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.