Home page logo

educause logo Educause Security Discussion mailing list archives

Re: PCI Compliance Policies
From: "Jones, Dan" <Dan.Jones () UMASSMED EDU>
Date: Thu, 19 Jul 2007 14:41:44 -0400

Here is the compliance timeline:

By September 30, 2007 - Provide the name of the chosen Approved Scanning
Vendor (ASV).

By December 31, 2007 - Provide the signed Prohibited Data Retention
Attestation Form and provide the first quarterly scan results.  (NOTE:
In order to avoid potential fines, the Attestation must confirm that
there is NO evidence of prohibited data storage subsequent to
transaction authorization).

By March 31, 2008 - Provide the initial Self Assessment Questionnaire.

By June 30, 2008 - Provide a passing Self Assessment Questionnaire and
passing vulnerability scan results confirming that your organization is
PCI compliant.  An executive level officer of your organization must
also sign the attached Confirmation of Report Accuracy and include it
with the passing Self Assessment Questionnaire.

-----Original Message-----
From: Roger Safian [mailto:r-safian () NORTHWESTERN EDU] 
Sent: Thursday, July 19, 2007 1:20 PM
Subject: Re: [SECURITY] PCI Compliance Policies

At 12:14 PM 7/19/2007, Theresa M Rowe put fingers to keyboard and wrote:
Is ANYONE going to be compliant by the September deadline??  Did you
use a 
consultant to get there?

What is the September deadline?  I thought compliance was supposed to
on 1/1/06?  

FWIW, we're still working on compliance...it's pretty time consuming.

Roger A. Safian 
r-safian () northwestern edu (email) public key available on many key
(847) 491-4058   (voice)
(847) 467-6500   (Fax) "You're never too old to have a great childhood!"

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]