Educause Security Discussion mailing list archives
Re: PCI DSS Review - 40 Hours?
From: Rich Graves <rgraves () CARLETON EDU>
Date: Tue, 24 Apr 2012 14:21:56 -0500
It depends. Brandeis has a policy that cardholder data must not be stored, transmitted, or processed on University systems. Given recent legislation in Massachusetts, this is a good plan. PCI has made the full ROC questionnaire available. You ought to be able to cover the relevant parts in 40 hours. If you find that the outsourcing policy is not effectively documented or enforced, then fail the audit and start over with an assessment, as other commenters in this thread have assumed; but if the policy holds, then it's mostly an exercise of ticking off boxes for policy and awareness training.
Current thread:
- PCI DSS Review - 40 Hours? Dan Sarazen (Apr 24)
- Re: PCI DSS Review - 40 Hours? Drew Perry (Apr 24)
- Re: PCI DSS Review - 40 Hours? Lorenz, Eva (Apr 24)
- Re: PCI DSS Review - 40 Hours? Radford, Jennifer (Apr 24)
- Re: PCI DSS Review - 40 Hours? Lorenz, Eva (Apr 24)
- Re: PCI DSS Review - 40 Hours? Rich Graves (Apr 24)
- Re: PCI DSS Review - 40 Hours? Jon Young (Apr 24)
- Re: PCI DSS Review - 40 Hours? Dan Sarazen (Apr 24)
- Re: PCI DSS Review - 40 Hours? Michael Johnson (Apr 24)
- Re: PCI DSS Review - 40 Hours? Valdis Kletnieks (Apr 24)
- Re: PCI DSS Review - 40 Hours? Jon Young (Apr 25)
- Re: PCI DSS Review - 40 Hours? Dan Sarazen (Apr 24)
- Re: PCI DSS Review - 40 Hours? Brad Judy (Apr 24)
- Re: PCI DSS Review - 40 Hours? Drew Perry (Apr 24)
- Re: PCI DSS Review - 40 Hours? Marcum, Chad A (Apr 24)
- Re: PCI DSS Review - 40 Hours? Hugh Burley (Apr 26)
- <Possible follow-ups>
- Re: PCI DSS Review - 40 Hours? John Hoffoss (Apr 30)