Educause Security Discussion mailing list archives
Re: PCI DSS responses
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Thu, 11 Jun 2009 15:04:45 -0700
Just to clarify, when stating that some institutions choose to avoid DSS: they did the work necessary to ensure their institution was out of scope and thus did not require compliance. From what we've heard to date, taking a network out of scope seems to be considerably more cost effective. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College Office: 520-206-4873 -----Original Message----- From: Basgen, Brian Sent: Thursday, June 11, 2009 1:58 PM To: 'The EDUCAUSE Security Constituent Group Listserv' Subject: [SECURITY] PCI DSS responses Hi Everyone, Thanks for all the responses on and off list. For the last several years, our general stand on the DSS has been that adhering to it would be very costly and generally impractical, thus outsourcing combined with analog has been our method of choice. In that light, it was very informative to get so many responses from what institutions have been doing recently. Generally, we heard from institutions that: (a) never seriously considered adhering to the DSS due to perceived issues (b) did an in-depth analysis and avoided DSS due to cost (c) believe they are currently following the DSS We haven't yet heard back additional details from some of the institutions who are following DSS. It would be interesting to get an idea for how all 40 pages of compliance requirements are being managed, and at what cost. This has to be the most challenging aspect of the DSS: unlike so many laws, "best effort" and "due diligence" simply aren't enough. It seems like an impressive feat to achieve such a compliance expectation in higher education. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College Office: 520-206-4873
Current thread:
- PCI DSS responses Basgen, Brian (Jun 11)
- <Possible follow-ups>
- Re: PCI DSS responses Basgen, Brian (Jun 11)
- Re: PCI DSS responses Brad Judy (Jun 12)