Educause Security Discussion mailing list archives

Re: PCI Audit

From: Brad Judy <brad.judy () CU EDU>
Date: Mon, 30 Apr 2018 14:59:47 +0000

That’s something that depends entirely on the number and complexity of your merchant accounts.  A school could have 
anywhere from 1 to hundreds of merchant accounts.  Each account could be a simple phone-line attached swipe device, a 
point of sale system or a complex ecommerce site.  Assume they will need to interview the business owner of each 
merchant account, IT staff who manage associated technologies, people who handle training/awareness, and review 
documentation like policies and network diagrams.

Simple merchant accounts like an SAQ-B style arrangement may be a short list of questions about things like physical 
security of devices and whether card numbers are ever recorded on paper or voice recordings.  However, something like 
an on-premise point of sale system might require a lot of time to review the network design, the software versions and 
configuration, physical security, employee training, etc.  Consistency between merchants on policies, procedures, 
training, etc. can save a lot of review time if you have many merchants.

It also depends on your goals and the scope of the engagement with the QSA.  Do you want a higher level review to 
highlight major gaps and help prioritize – perhaps something where you’ll provide most information yourself and have 
fewer interviews or technical work?  Or, do you want something more like a full Report on Compliance (without writing 
an actual RoC)?  This would require the QSA to verify that each merchant account is meeting all of their applicable 
requirements and could be very time consuming and costly if you have a lot of merchants.

There are hybrid approaches too – perhaps a high level review of your PCI compliance program with deeper dives for your 
higher risk merchants.

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<http://www.cu.edu/>

[cu-logo_fl]


From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Ronald King <ronald.king () MORGAN EDU>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Friday, April 27, 2018 at 12:21 PM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] PCI Audit

Thank you to those that have responded so far.  I'd like to add a question to the original request: How long did it 
take to complete the initial audit?

Thanks again!
Ron

Ronald A. King, CISSP
Chief Information Security Officer
Morgan State University
Office:
(443) 885-3372
1700 E. Cold Spring Ln.
Email:
ronald.king () morgan edu<mailto:ronald.king () morgan edu>
Baltimore, MD 21251
URL:
http://www.morgan.edu

Growing the future ... Leading the 
world<http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf>


On Fri, Apr 27, 2018 at 2:11 PM, Charles Curtis <ccurtis () austincollege edu<mailto:ccurtis () austincollege edu>> 
wrote:
We have had a very good experience with Trustwave.

Charles


Charles Curtis
Executive Director of Information Technology
Austin College
900 North Grand Avenue 
<https://maps.google.com/?q=900+North+Grand+Avenue++%0D%0D%0ASherman,+TX+75090&entry=gmail&source=g>
Sherman, TX 75090-4400
Phone: 903.813.2088
www.austincollege.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.austincollege.edu_&d=DwMGaQ&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=EJQ3rFoClYHg7N5LNZVCmIlFZVzIqT_B29cBOvDdQgk&s=sLU8xUvdotFC9j3SyDBNOcj5cFucC-9cTqc1EnT78DI&e=>

[http://www.austincollege.edu/images/AusColl_Logo_Email.gif]



From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Ronald King
Sent: Friday, April 27, 2018 10:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] PCI Audit

Colleagues,

My apologies if this question has been asked before, but, the last I found in the archives was from 2012.

We are looking for a vendor to conduct an audit of our current PCI posture. Do any EDUs have recommendations for a 
consultant or company to assess where we are now and possibly help manage PCI assessments in the future?

Thank you,
Ronald A. King, CISSP
Chief Information Security Officer
Morgan State University                                                                                           
Office: (443) 885-3372
1700 E. Cold Spring Ln<https://maps.google.com/?q=1700+E.+Cold+Spring+Ln&entry=gmail&source=g>.                         
                                                                  Email:  ronald.king () morgan edu<mailto:ronald.king 
() morgan edu>
Baltimore, MD 21251                                                                                 URL:    
http://www.morgan.edu

                                                Growing the future ... Leading the 
world<http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf>

Current thread:

Re: PCI Audit, (continued)
- Re: PCI Audit Adam Menos (Apr 27)
- Re: PCI Audit David D Grisham (Apr 27)
- Re: PCI Audit Angel Howard (Apr 27)
  - Re: PCI Audit Chris Boniforti (Apr 27)
- Re: PCI Audit Brad Judy (Apr 27)
  - Re: PCI Audit Ronald King (Apr 27)
- Re: PCI Audit Gerrit Bos (Apr 27)
  - Re: PCI Audit Gerrit Bos (Apr 27)
- Re: PCI Audit Charles Curtis (Apr 27)
  - Re: PCI Audit Ronald King (Apr 27)
    - Re: PCI Audit Brad Judy (Apr 30)
    - Re: PCI Audit Penn, Blake C (Apr 30)
- Re: PCI Audit Ray Phillips (Apr 30)
- Re: PCI Audit Fisher, Matthew C (May 21)
  - Re: PCI Audit Ronald King (May 22)
    - Re: PCI Audit Dennis Bolton (May 22)