Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Fw: PCI Compliance Policies
From: Brad Judy <Brad.Judy () COLORADO EDU>
Date: Thu, 19 Jul 2007 12:56:53 -0600

I'm sorry, but saying you "don't like to promote your services" does not
make an advertisement into an informational note.  Removing all
references to your product/services is the proper direction to take, not
attaching a service flyer and plugging your services in the message as

This is out of line for this list IMO and isn't the first time this
issue has arisen with this company IIRC.   

Brad Judy

IT Security Office
University of Colorado at Boulder

-----Original Message-----
From: Nick Fasano [mailto:Nick_Fasano () RAPID7 COM] 
Sent: Thursday, July 19, 2007 11:53 AM
Subject: [SECURITY] Fw: PCI Compliance Policies

As a PCI vendor, I do not want to promote my services or my 
organization but I think information is key.  Rapid7 LLC is 
an ASV (Authorized Scanning Vendor) for PCI compliance.  The 
PCI  security council requires vendors to standardize their 
services around PCI and pass some serious test in the 
MasterCard Security Lab in Europe.  There are some very basic 
requirements that merchants need to follow that take card data: 

1. Quarterly vulnerability scans performed by an ASV.   
2. Annual Penetration test performed by a third party vendor.   

Your qtrly scans need to follow the PCI standard templates 
and are provided to your Acquiring Bank or processor.  The 
ASV is required to provide this data to you (as a merchant) as well. 

Rapid7 offers 2 types of services around PCI.  1. Is a 
managed service approach with Professional Services running 
the quarterly scans.  2. A self service portal that a 
merchant can run the third party scans on their own: pci.rapid7.com 

Nick Fasano
Rapid7 LLC
617 247 1717 Office
857 288 7411 Direct IP Phone
866 7 RAPID7 (866 772 7437)
781 640 7945 Mobile
617 507 6488 Fax
nick_fasano () rapid7 com

NeXpose - Winner of SC Magazine Awards "Best Vulnerability 
Management" Product of 2007.

----- Forwarded by Nick Fasano/Rapid7/US on 07/19/2007 01:41 PM ----- 

      Theresa M Rowe <rowe () OAKLAND EDU> 

07/19/2007 01:30 PM 
Please respond to rowe         
        Subject:        Re: PCI Compliance Policies

The date doesn't appear on the PCI site, but our bank and 
other orgs are giving this date - For example 
Furthermore, PCI DSS compliance needs to be achieved by 
September, 2007 - this is the deadline posed by credit card 
companies. Organizations that fail to comply face fines of up 
to $500,000 if the data is lost or stolen and risk not being 
allowed to handle cardholder data. 

Most retailers and solutions providers believe that 
September, 2007 will be the true deadline after which Visa 
will begin levying fines on acquirers whose merchants who are 
not compliant with the standard. 

---- Original message ----
Date: Thu, 19 Jul 2007 12:20:04 -0500
From: Roger Safian <r-safian () northwestern edu>
Subject: Re: [SECURITY] PCI Compliance Policies
To: rowe () oakland edu, SECURITY () LISTSERV EDUCAUSE EDU

At 12:14 PM 7/19/2007, Theresa M Rowe put fingers to 
keyboard and wrote:
Is ANYONE going to be compliant by the September deadline?? 
 Did you 
use a consultant to get there?

What is the September deadline?  I thought compliance was 
supposed to 
start on 1/1/06?

FWIW, we're still working on compliance...it's pretty time consuming.

Roger A. Safian
r-safian () northwestern edu (email) public key available on 
many key servers.
(847) 491-4058   (voice)
(847) 467-6500   (Fax) "You're never too old to have a great 

Theresa Rowe
Assistant Vice President
University Technology Services
www.oakland.edu/uts - the latest news from University 
Technology Services

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]