Educause Security Discussion
mailing list archives
Fw: PCI Compliance Policies
From: Nick Fasano <Nick_Fasano () RAPID7 COM>
Date: Thu, 19 Jul 2007 13:53:07 -0400
As a PCI vendor, I do not want to promote my services or my organization
but I think information is key. Rapid7 LLC is an ASV (Authorized Scanning
Vendor) for PCI compliance. The PCI security council requires vendors to
standardize their services around PCI and pass some serious test in the
MasterCard Security Lab in Europe. There are some very basic requirements
that merchants need to follow that take card data:
1. Quarterly vulnerability scans performed by an ASV.
2. Annual Penetration test performed by a third party vendor.
Your qtrly scans need to follow the PCI standard templates and are
provided to your Acquiring Bank or processor. The ASV is required to
provide this data to you (as a merchant) as well.
Rapid7 offers 2 types of services around PCI. 1. Is a managed service
approach with Professional Services running the quarterly scans. 2. A
self service portal that a merchant can run the third party scans on their
617 247 1717 Office
857 288 7411 Direct IP Phone
866 7 RAPID7 (866 772 7437)
781 640 7945 Mobile
617 507 6488 Fax
nick_fasano () rapid7 com
NeXpose - Winner of SC Magazine Awards "Best Vulnerability Management"
Product of 2007.
----- Forwarded by Nick Fasano/Rapid7/US on 07/19/2007 01:41 PM -----
Theresa M Rowe <rowe () OAKLAND EDU>
07/19/2007 01:30 PM
Please respond to rowe
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: PCI Compliance Policies
The date doesn't appear on the PCI site, but our bank and other orgs are
giving this date -
Furthermore, PCI DSS compliance needs to be achieved by September, 2007 –
this is the deadline posed by credit card companies. Organizations that
fail to comply face fines of up to $500,000 if the data is lost or stolen
and risk not being allowed to handle cardholder data.
Most retailers and solutions providers believe that September, 2007 will
be the true deadline after which Visa will begin levying fines on
acquirers whose merchants who are not compliant with the standard.
---- Original message ----
Date: Thu, 19 Jul 2007 12:20:04 -0500
From: Roger Safian <r-safian () northwestern edu>
Subject: Re: [SECURITY] PCI Compliance Policies
To: rowe () oakland edu, SECURITY () LISTSERV EDUCAUSE EDU
At 12:14 PM 7/19/2007, Theresa M Rowe put fingers to keyboard and wrote:
Is ANYONE going to be compliant by the September deadline?? Did you use
consultant to get there?
What is the September deadline? I thought compliance was supposed to
FWIW, we're still working on compliance...it's pretty time consuming.
Roger A. Safian
r-safian () northwestern edu (email) public key available on many key
(847) 491-4058 (voice)
(847) 467-6500 (Fax) "You're never too old to have a great childhood!"
Assistant Vice President
University Technology Services
www.oakland.edu/uts - the latest news from University Technology Services
PCI Compliance Flyer.pdf