Educause Security Discussion mailing list archives
Re: Fw: PCI Compliance Policies
From: Brad Judy <Brad.Judy () COLORADO EDU>
Date: Thu, 19 Jul 2007 12:56:53 -0600
I'm sorry, but saying you "don't like to promote your services" does not make an advertisement into an informational note. Removing all references to your product/services is the proper direction to take, not attaching a service flyer and plugging your services in the message as well. This is out of line for this list IMO and isn't the first time this issue has arisen with this company IIRC. Brad Judy IT Security Office University of Colorado at Boulder
-----Original Message----- From: Nick Fasano [mailto:Nick_Fasano () RAPID7 COM] Sent: Thursday, July 19, 2007 11:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Fw: PCI Compliance Policies As a PCI vendor, I do not want to promote my services or my organization but I think information is key. Rapid7 LLC is an ASV (Authorized Scanning Vendor) for PCI compliance. The PCI security council requires vendors to standardize their services around PCI and pass some serious test in the MasterCard Security Lab in Europe. There are some very basic requirements that merchants need to follow that take card data: 1. Quarterly vulnerability scans performed by an ASV. 2. Annual Penetration test performed by a third party vendor. Your qtrly scans need to follow the PCI standard templates and are provided to your Acquiring Bank or processor. The ASV is required to provide this data to you (as a merchant) as well. Rapid7 offers 2 types of services around PCI. 1. Is a managed service approach with Professional Services running the quarterly scans. 2. A self service portal that a merchant can run the third party scans on their own: pci.rapid7.com Nick Fasano Rapid7 LLC 617 247 1717 Office 857 288 7411 Direct IP Phone 866 7 RAPID7 (866 772 7437) 781 640 7945 Mobile 617 507 6488 Fax nick_fasano () rapid7 com http://www.rapid7.com/pressreleases/carnegiemellon.jsp NeXpose - Winner of SC Magazine Awards "Best Vulnerability Management" Product of 2007. ----- Forwarded by Nick Fasano/Rapid7/US on 07/19/2007 01:41 PM ----- Theresa M Rowe <rowe () OAKLAND EDU> 07/19/2007 01:30 PM Please respond to rowe To: SECURITY () LISTSERV EDUCAUSE EDU cc: Subject: Re: PCI Compliance Policies The date doesn't appear on the PCI site, but our bank and other orgs are giving this date - For example http://www.gfi.com/security/pci.htm Furthermore, PCI DSS compliance needs to be achieved by September, 2007 - this is the deadline posed by credit card companies. Organizations that fail to comply face fines of up to $500,000 if the data is lost or stolen and risk not being allowed to handle cardholder data. http://searchsmb.bitpipe.com/detail/RES/1178314942_651.html Most retailers and solutions providers believe that September, 2007 will be the true deadline after which Visa will begin levying fines on acquirers whose merchants who are not compliant with the standard. ---- Original message ----Date: Thu, 19 Jul 2007 12:20:04 -0500 From: Roger Safian <r-safian () northwestern edu> Subject: Re: [SECURITY] PCI Compliance Policies To: rowe () oakland edu, SECURITY () LISTSERV EDUCAUSE EDU At 12:14 PM 7/19/2007, Theresa M Rowe put fingers tokeyboard and wrote:Is ANYONE going to be compliant by the September deadline??Did youuse a consultant to get there?What is the September deadline? I thought compliance wassupposed tostart on 1/1/06? FWIW, we're still working on compliance...it's pretty time consuming. -- Roger A. Safian r-safian () northwestern edu (email) public key available onmany key servers.(847) 491-4058 (voice) (847) 467-6500 (Fax) "You're never too old to have a greatchildhood!"Theresa Rowe Assistant Vice President University Technology Services www.oakland.edu/uts - the latest news from University Technology Services
Current thread:
- Re: PCI Compliance Policies, (continued)
- Re: PCI Compliance Policies Chuck Dunn (Jul 19)
- Re: PCI Compliance Policies Theresa M Rowe (Jul 19)
- Re: PCI Compliance Policies Roger Safian (Jul 19)
- Re: PCI Compliance Policies Theresa M Rowe (Jul 19)
- Re: PCI Compliance Policies Doug Markiewicz (Jul 19)
- Fw: PCI Compliance Policies Nick Fasano (Jul 19)
- Re: PCI Compliance Policies Penn, Blake (Jul 19)
- Re: PCI Compliance Policies Roger Safian (Jul 19)
- Re: PCI Compliance Policies Jones, Dan (Jul 19)
- Re: PCI Compliance Policies Brad Judy (Jul 19)
- Re: Fw: PCI Compliance Policies Brad Judy (Jul 19)
- Re: Fw: PCI Compliance Policies Roger Safian (Jul 19)
- Re: PCI Compliance Policies Curt Wilson (Jul 26)
- Re: PCI Compliance Policies Brad Judy (Jul 26)
- Re: PCI Compliance Policies Scott O. Bradner (Jul 31)
- Re: PCI Compliance Policies Scott O. Bradner (Jul 31)