Home page logo

educause logo Educause Security Discussion mailing list archives

Re: PCI Compliance Policies
From: Brad Judy <Brad.Judy () COLORADO EDU>
Date: Thu, 26 Jul 2007 10:29:00 -0600

Yes, being a level 4 does change things.  See this page for details:

Essentially, the requirements still apply, but verification is up to
your bank.

This page also discusses the different merchant level requirements -

Brad Judy

IT Security Office
University of Colorado at Boulder

-----Original Message-----
From: Curt Wilson [mailto:curtw () siu edu] 
Sent: Thursday, July 26, 2007 8:41 AM
Subject: Re: [SECURITY] PCI Compliance Policies

What are other .edus doing in terms of staff resources for 
PCI compliance? How are other security teams with limited 
staff handling the demand of keeping up with existing work 
and dealing with everything else that PCI brings to the table?

In the ideal environment much of the standard would have 
already been applied, but I am not sure how many of us live 
in that ideal environment.

If someone is a level 4 vendor does that change the dates or 
requirements? Or are they the same for everyone.

I will be doing some additional reading (RTFM) on this.


Brad Judy wrote:
We've been doing PCIDSS compliance actions for some time now, 
including quarterly scans from an approved vendor, annual 
self-assessment forms for each department, etc.

We don't have a specific PCIDSS policy (although any systems that 
store CC#'s fall into our private data security policy) partially 
because, to me, it seems like any policy statement would 
end up saying 
"you must be compliant with applicable regulatory 
requirements".  As 
mentioned, it might be best to refer departments on campus to a 
combination of the direct PCI info and related existing 
campus policies.

If you're new to this, the best place to start is with the 
applicable version of the PCIDSS standards (1.1), which can be found


Then you can move on to the numerous supporting documents here:


Most notable of which, IMO, are the audit procedures, which 
give some 
more detail on the requirements:


And the self-assessment questionnaire, which someone in your school 
should already be filling out:


The above website also maintains the list of certified 
assessors and 
scanners.  Find ones that you feel comfortable with.

Brad Judy

IT Security Office
University of Colorado at Boulder

-----Original Message-----
From: Sandford, Doug [mailto:doug () UA EDU]
Sent: Thursday, July 19, 2007 9:35 AM
Subject: [SECURITY] PCI Compliance Policies

Has anyone developed policies related to the process of 
becoming PCI 
compliant? Or perhaps links to some sources that have already been 
developed? Not having to re-invent the wheel would speed the 
certification process considerably.

Thanks in advance.....

Doug Sandford
University of Alabama
Office of Information Technology

Curt Wilson
IT Network Security Officer
Southern Illinois University Carbondale

GnuPG key: http://www.infotech.siu.edu/security/curtw.pub.asc

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]