Educause Security Discussion mailing list archives
Re: PCI Audit
From: Brad Judy <brad.judy () CU EDU>
Date: Mon, 30 Apr 2018 14:59:47 +0000
That’s something that depends entirely on the number and complexity of your merchant accounts. A school could have anywhere from 1 to hundreds of merchant accounts. Each account could be a simple phone-line attached swipe device, a point of sale system or a complex ecommerce site. Assume they will need to interview the business owner of each merchant account, IT staff who manage associated technologies, people who handle training/awareness, and review documentation like policies and network diagrams. Simple merchant accounts like an SAQ-B style arrangement may be a short list of questions about things like physical security of devices and whether card numbers are ever recorded on paper or voice recordings. However, something like an on-premise point of sale system might require a lot of time to review the network design, the software versions and configuration, physical security, employee training, etc. Consistency between merchants on policies, procedures, training, etc. can save a lot of review time if you have many merchants. It also depends on your goals and the scope of the engagement with the QSA. Do you want a higher level review to highlight major gaps and help prioritize – perhaps something where you’ll provide most information yourself and have fewer interviews or technical work? Or, do you want something more like a full Report on Compliance (without writing an actual RoC)? This would require the QSA to verify that each merchant account is meeting all of their applicable requirements and could be very time consuming and costly if you have a lot of merchants. There are hybrid approaches too – perhaps a high level review of your PCI compliance program with deeper dives for your higher risk merchants. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu<http://www.cu.edu/> [cu-logo_fl] From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Ronald King <ronald.king () MORGAN EDU> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Friday, April 27, 2018 at 12:21 PM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] PCI Audit Thank you to those that have responded so far. I'd like to add a question to the original request: How long did it take to complete the initial audit? Thanks again! Ron Ronald A. King, CISSP Chief Information Security Officer Morgan State University Office: (443) 885-3372 1700 E. Cold Spring Ln. Email: ronald.king () morgan edu<mailto:ronald.king () morgan edu> Baltimore, MD 21251 URL: http://www.morgan.edu Growing the future ... Leading the world<http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf> On Fri, Apr 27, 2018 at 2:11 PM, Charles Curtis <ccurtis () austincollege edu<mailto:ccurtis () austincollege edu>> wrote: We have had a very good experience with Trustwave. Charles Charles Curtis Executive Director of Information Technology Austin College 900 North Grand Avenue <https://maps.google.com/?q=900+North+Grand+Avenue++%0D%0D%0ASherman,+TX+75090&entry=gmail&source=g> Sherman, TX 75090-4400 Phone: 903.813.2088 www.austincollege.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.austincollege.edu_&d=DwMGaQ&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=EJQ3rFoClYHg7N5LNZVCmIlFZVzIqT_B29cBOvDdQgk&s=sLU8xUvdotFC9j3SyDBNOcj5cFucC-9cTqc1EnT78DI&e=> [http://www.austincollege.edu/images/AusColl_Logo_Email.gif] From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Ronald King Sent: Friday, April 27, 2018 10:34 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] PCI Audit Colleagues, My apologies if this question has been asked before, but, the last I found in the archives was from 2012. We are looking for a vendor to conduct an audit of our current PCI posture. Do any EDUs have recommendations for a consultant or company to assess where we are now and possibly help manage PCI assessments in the future? Thank you, Ronald A. King, CISSP Chief Information Security Officer Morgan State University Office: (443) 885-3372 1700 E. Cold Spring Ln<https://maps.google.com/?q=1700+E.+Cold+Spring+Ln&entry=gmail&source=g>. Email: ronald.king () morgan edu<mailto:ronald.king () morgan edu> Baltimore, MD 21251 URL: http://www.morgan.edu Growing the future ... Leading the world<http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf>
Current thread:
- Re: PCI Audit, (continued)
- Re: PCI Audit Adam Menos (Apr 27)
- Re: PCI Audit David D Grisham (Apr 27)
- Re: PCI Audit Angel Howard (Apr 27)
- Re: PCI Audit Chris Boniforti (Apr 27)
- Re: PCI Audit Brad Judy (Apr 27)
- Re: PCI Audit Ronald King (Apr 27)
- Re: PCI Audit Gerrit Bos (Apr 27)
- Re: PCI Audit Gerrit Bos (Apr 27)
- Re: PCI Audit Charles Curtis (Apr 27)
- Re: PCI Audit Ronald King (Apr 27)
- Re: PCI Audit Brad Judy (Apr 30)
- Re: PCI Audit Penn, Blake C (Apr 30)
- Re: PCI Audit Ronald King (Apr 27)
- Re: PCI Audit Ray Phillips (Apr 30)
- Re: PCI Audit Fisher, Matthew C (May 21)
- Re: PCI Audit Ronald King (May 22)
- Re: PCI Audit Dennis Bolton (May 22)
- Re: PCI Audit Ronald King (May 22)