Home page logo

educause logo Educause Security Discussion mailing list archives

Re: PCI Compliance Policies
From: Brad Judy <Brad.Judy () COLORADO EDU>
Date: Thu, 19 Jul 2007 12:53:32 -0600

We've been doing PCIDSS compliance actions for some time now, including
quarterly scans from an approved vendor, annual self-assessment forms
for each department, etc.  

We don't have a specific PCIDSS policy (although any systems that store
CC#'s fall into our private data security policy) partially because, to
me, it seems like any policy statement would end up saying "you must be
compliant with applicable regulatory requirements".  As mentioned, it
might be best to refer departments on campus to a combination of the
direct PCI info and related existing campus policies.

If you're new to this, the best place to start is with the currently
applicable version of the PCIDSS standards (1.1), which can be found


Then you can move on to the numerous supporting documents here:


Most notable of which, IMO, are the audit procedures, which give some
more detail on the requirements:


And the self-assessment questionnaire, which someone in your school
should already be filling out:


The above website also maintains the list of certified assessors and
scanners.  Find ones that you feel comfortable with.

Brad Judy

IT Security Office
University of Colorado at Boulder

-----Original Message-----
From: Sandford, Doug [mailto:doug () UA EDU] 
Sent: Thursday, July 19, 2007 9:35 AM
Subject: [SECURITY] PCI Compliance Policies

Has anyone developed policies related to the process of 
becoming PCI compliant? Or perhaps links to some sources that 
have already been developed? Not having to re-invent the 
wheel would speed the certification process considerably.

Thanks in advance.....

Doug Sandford
University of Alabama
Office of Information Technology 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]