Re: PCI DSS responses

["Basgen, Brian" <bbasgen () PIMA EDU>]

 Just to clarify, when stating that some institutions choose to avoid DSS: they did the work necessary to ensure their 
institution was out of scope and thus did not require compliance. From what we've heard to date, taking a network out 
of scope seems to be considerably more cost effective.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
Office: 520-206-4873


-----Original Message-----
From: Basgen, Brian
Sent: Thursday, June 11, 2009 1:58 PM
To: 'The EDUCAUSE Security Constituent Group Listserv'
Subject: [SECURITY] PCI DSS responses

Hi Everyone,

 Thanks for all the responses on and off list.

 For the last several years, our general stand on the DSS has been that adhering to it would be very costly and 
generally impractical, thus outsourcing combined with analog has been our method of choice. In that light, it was very 
informative to get so many responses from what institutions have been doing recently.

 Generally, we heard from institutions that:
   (a) never seriously considered adhering to the DSS due to perceived issues
   (b) did an in-depth analysis and avoided DSS due to cost
   (c) believe they are currently following the DSS

 We haven't yet heard back additional details from some of the institutions who are following DSS. It would be 
interesting to get an idea for how all 40 pages of compliance requirements are being managed, and at what cost. This 
has to be the most challenging aspect of the DSS: unlike so many laws, "best effort" and "due diligence" simply aren't 
enough. It seems like an impressive feat to achieve such a compliance expectation in higher education.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
Office: 520-206-4873