Educause Security Discussion mailing list archives
Re: PCI 3.0 compliance
From: Kevin Reedy <KReedy () EXCELSIOR EDU>
Date: Wed, 25 Feb 2015 10:09:09 -0500
My apologies to the list. That was intended to be a private email and went to the group by accident. Kevin Reedy Executive Director, Information Security Excelsior College (518) 464-8720 From: Kevin Halgren <kevin.halgren () WASHBURN EDU> To: SECURITY () LISTSERV EDUCAUSE EDU, Date: 02/25/2015 09:44 AM Subject: Re: [SECURITY] PCI 3.0 compliance Sent by: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> I'm not the most knowledgeable on the board on PCI, but I can tell you it's not uncommon for it look a mess, unfortunately, when you have someone else come in and review compliance status. There is often a lot of individual interpretation, whether you're having a QSA do it or are performing a self-assessment. On a practical level you have to marry technical compliance with actual risk-management and best practices since PCI compliance alone isn't really enough to ensure you're operating in a secure manner. Business processes are often more troublesome than technical issues, in my experience. We can manage technology pretty well, but people are another issue. PCI always has the provision of "Compensating Controls" in lieu of a straight PASS based on the particular criteria. From what I've seen, some people use them a lot, some people don't seem to ever accept them. It depends on the QSA and the organizational personnel. Personally I'm looking forward to Point-to-Point encryption (P2PE) to be more broadly supported, it eliminates a tremendous amount of PCI exposure. In your situation, if you see some obvious "fix it now!" issues, get those taken care of. Beyond that, in my opinion your time and energy are best spent understanding the processes - both technical and business - and documenting a list of known issues, then coming up with an overall plan to address them which prioritizes high risk and quick-fix items. You may find issues that are broadly common - i.e. a bit of training that hasn't been done for a broad swath of users. It will be more efficient to address these all together in one training program than to tackle them one at a time - and developing and implementing a plan instead of trying to act as a firefighter will go down a lot better with the powers that be. Also remember that if you don't build executive support, you will never get anywhere no matter how much you yell and pound the table. One thing I've learned in my years in IT is that no matter how good (or otherwise) someone may have been in their job, there's always a period of "what the hell were they thinking?" when someone new comes on board and starts to review their predecessors work and get oriented themselves. If you look deeper, there may have been a logic to it that's not apparent at first glance, or the reasons may be lost to time, or you've simply found a weakness in some else's skillset or priorities that may need to be addressed. People do the same when you change positions as well, it's human nature. Understand your organization and build a system that works well with it, identify risks, and establish priorities. Even the best system will never eliminate the weaknesses inherent in human nature or in computer systems, but a good system will help mitigate them and make progress reducing your organizational risk profile. Kevin -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Reedy Sent: Wednesday, February 25, 2015 7:45 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI 3.0 compliance Hi Chris, I'm new here at Excelsior, and I have inherited a bit of a mess when it comes to PCI. Specifically I have found that previously we certified as PASS on several items that we should not have. If you have any knowledge of how the items are scored, and if there is a threshold for compliance when everything is not simply 'PASS' I'd love to pick your brain about it. -Kevin Kevin Reedy Executive Director, Information Security Excelsior College (518) 464-8720 From: Chris Green <CGreen () UTTYLER EDU> To: SECURITY () LISTSERV EDUCAUSE EDU, Date: 02/06/2015 12:18 PM Subject: Re: [SECURITY] PCI 3.0 compliance Sent by: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> We are in the midst of it as well. If you would like to discuss offline, please shoot me an email. Thanks, -C. Chris Green Director of Information Security University of Texas at Tyler cgreen () uttyler edu From: The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shamblin, Quinn Sent: Friday, February 06, 2015 11:08 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI 3.0 compliance We are in the process of that. Feel free to reach out to me privately. qrs () bu edu Best, Quinn R Shamblin . Executive Director of Information Security, Boston University From: The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Alex Jalso Sent: Thursday, February 05, 2015 3:02 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI 3.0 compliance Hello Everyone, Has anyone started or completed a project regarding PCI 3.0 compliance? If so, would you be willing to answer a few questions and / or have a conversation about it? Thanks. Alex Alex Jalso, PMP, CISM Director Information Security Services West Virginia University p: 304-293-4457 This message and any attachments contain confidential Excelsior College information intended for the specific individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited. This message and any attachments contain confidential Excelsior College information intended for the specific individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.
Current thread:
- PCI 3.0 compliance Alex Jalso (Feb 05)
- Re: PCI 3.0 compliance David James Anderson (Feb 05)
- Re: PCI 3.0 compliance David James Anderson (Feb 05)
- Re: PCI 3.0 compliance Shamblin, Quinn (Feb 06)
- Re: PCI 3.0 compliance Chris Green (Feb 06)
- Re: PCI 3.0 compliance Kevin Reedy (Feb 25)
- Re: PCI 3.0 compliance Ben Parker (Feb 25)
- Re: PCI 3.0 compliance Kevin Halgren (Feb 25)
- Re: PCI 3.0 compliance Kevin Reedy (Feb 25)
- Re: PCI 3.0 compliance Chris Green (Feb 06)
- Re: PCI 3.0 compliance David James Anderson (Feb 05)
- Re: PCI 3.0 compliance Chris Green (Feb 09)