Home page logo

educause logo Educause Security Discussion mailing list archives

Fw: PCI Compliance Policies
From: Nick Fasano <Nick_Fasano () RAPID7 COM>
Date: Thu, 19 Jul 2007 13:53:07 -0400

As a PCI vendor, I do not want to promote my services or my organization 
but I think information is key.  Rapid7 LLC is an ASV (Authorized Scanning 
Vendor) for PCI compliance.  The PCI  security council requires vendors to 
standardize their services around PCI and pass some serious test in the 
MasterCard Security Lab in Europe.  There are some very basic requirements 
that merchants need to follow that take card data:

1. Quarterly vulnerability scans performed by an ASV. 
2. Annual Penetration test performed by a third party vendor. 

Your qtrly scans need to follow the PCI standard templates and are 
provided to your Acquiring Bank or processor.  The ASV is required to 
provide this data to you (as a merchant) as well.

Rapid7 offers 2 types of services around PCI.  1. Is a managed service 
approach with Professional Services running the quarterly scans.  2. A 
self service portal that a merchant can run the third party scans on their 
own: pci.rapid7.com

Nick Fasano
Rapid7 LLC
617 247 1717 Office
857 288 7411 Direct IP Phone
866 7 RAPID7 (866 772 7437)
781 640 7945 Mobile
617 507 6488 Fax
nick_fasano () rapid7 com

NeXpose - Winner of SC Magazine Awards "Best Vulnerability Management" 
Product of 2007.

----- Forwarded by Nick Fasano/Rapid7/US on 07/19/2007 01:41 PM -----

Theresa M Rowe <rowe () OAKLAND EDU>
07/19/2007 01:30 PM
Please respond to rowe
        Subject:        Re: PCI Compliance Policies

The date doesn't appear on the PCI site, but our bank and other orgs are 
giving this date -
For example 
Furthermore, PCI DSS compliance needs to be achieved by September, 2007 – 
this is the deadline posed by credit card companies. Organizations that 
fail to comply face fines of up to $500,000 if the data is lost or stolen 
and risk not being allowed to handle cardholder data. 

Most retailers and solutions providers believe that September, 2007 will 
be the true deadline after which Visa will begin levying fines on 
acquirers whose merchants who are not compliant with the standard. 

---- Original message ----
Date: Thu, 19 Jul 2007 12:20:04 -0500
From: Roger Safian <r-safian () northwestern edu> 
Subject: Re: [SECURITY] PCI Compliance Policies 
To: rowe () oakland edu, SECURITY () LISTSERV EDUCAUSE EDU

At 12:14 PM 7/19/2007, Theresa M Rowe put fingers to keyboard and wrote:
Is ANYONE going to be compliant by the September deadline??  Did you use 
consultant to get there?

What is the September deadline?  I thought compliance was supposed to 
on 1/1/06? 

FWIW, we're still working on compliance...it's pretty time consuming.

Roger A. Safian 
r-safian () northwestern edu (email) public key available on many key 
(847) 491-4058   (voice)
(847) 467-6500   (Fax) "You're never too old to have a great childhood!"

Theresa Rowe
Assistant Vice President
University Technology Services
www.oakland.edu/uts - the latest news from University Technology Services

Attachment: PCI Compliance Flyer.pdf

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]