Educause Security Discussion mailing list archives
Re: PCI Audit
From: "Penn, Blake C" <blake.penn () SECURITY GATECH EDU>
Date: Mon, 30 Apr 2018 17:13:26 +0000
And if you are unfortunate enough to have a breach, then you have to get QSA validated with a full ROC! FWIW, in my experience these cases averaged 2-3 years of remediation before full compliance could be validated. Regards, Blake Penn Information Security Policy and Compliance Manager Cyber Security Georgia Institute of Technology (404) 385-5480 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Brad Judy Sent: Monday, April 30, 2018 11:00 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI Audit That’s something that depends entirely on the number and complexity of your merchant accounts. A school could have anywhere from 1 to hundreds of merchant accounts. Each account could be a simple phone-line attached swipe device, a point of sale system or a complex ecommerce site. Assume they will need to interview the business owner of each merchant account, IT staff who manage associated technologies, people who handle training/awareness, and review documentation like policies and network diagrams. Simple merchant accounts like an SAQ-B style arrangement may be a short list of questions about things like physical security of devices and whether card numbers are ever recorded on paper or voice recordings. However, something like an on-premise point of sale system might require a lot of time to review the network design, the software versions and configuration, physical security, employee training, etc. Consistency between merchants on policies, procedures, training, etc. can save a lot of review time if you have many merchants. It also depends on your goals and the scope of the engagement with the QSA. Do you want a higher level review to highlight major gaps and help prioritize – perhaps something where you’ll provide most information yourself and have fewer interviews or technical work? Or, do you want something more like a full Report on Compliance (without writing an actual RoC)? This would require the QSA to verify that each merchant account is meeting all of their applicable requirements and could be very time consuming and costly if you have a lot of merchants. There are hybrid approaches too – perhaps a high level review of your PCI compliance program with deeper dives for your higher risk merchants. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu<http://www.cu.edu/> [cu-logo_fl] From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Ronald King <ronald.king () MORGAN EDU<mailto:ronald.king () MORGAN EDU>> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Friday, April 27, 2018 at 12:21 PM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] PCI Audit Thank you to those that have responded so far. I'd like to add a question to the original request: How long did it take to complete the initial audit? Thanks again! Ron Ronald A. King, CISSP Chief Information Security Officer Morgan State University Office: (443) 885-3372 1700 E. Cold Spring Ln. Email: ronald.king () morgan edu<mailto:ronald.king () morgan edu> Baltimore, MD 21251 URL: http://www.morgan.edu Growing the future ... Leading the world<http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf> On Fri, Apr 27, 2018 at 2:11 PM, Charles Curtis <ccurtis () austincollege edu<mailto:ccurtis () austincollege edu>> wrote: We have had a very good experience with Trustwave. Charles Charles Curtis Executive Director of Information Technology Austin College 900 North Grand Avenue <https://maps.google.com/?q=900+North+Grand+Avenue++%0D%0D%0ASherman,+TX+75090&entry=gmail&source=g> Sherman, TX 75090-4400 Phone: 903.813.2088 www.austincollege.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.austincollege.edu_&d=DwMGaQ&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=EJQ3rFoClYHg7N5LNZVCmIlFZVzIqT_B29cBOvDdQgk&s=sLU8xUvdotFC9j3SyDBNOcj5cFucC-9cTqc1EnT78DI&e=> [http://www.austincollege.edu/images/AusColl_Logo_Email.gif] From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Ronald King Sent: Friday, April 27, 2018 10:34 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] PCI Audit Colleagues, My apologies if this question has been asked before, but, the last I found in the archives was from 2012. We are looking for a vendor to conduct an audit of our current PCI posture. Do any EDUs have recommendations for a consultant or company to assess where we are now and possibly help manage PCI assessments in the future? Thank you, Ronald A. King, CISSP Chief Information Security Officer Morgan State University Office: (443) 885-3372 1700 E. Cold Spring Ln<https://maps.google.com/?q=1700+E.+Cold+Spring+Ln&entry=gmail&source=g>. Email: ronald.king () morgan edu<mailto:ronald.king () morgan edu> Baltimore, MD 21251 URL: http://www.morgan.edu Growing the future ... Leading the world<http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf>
Current thread:
- Re: PCI Audit, (continued)
- Re: PCI Audit David D Grisham (Apr 27)
- Re: PCI Audit Angel Howard (Apr 27)
- Re: PCI Audit Chris Boniforti (Apr 27)
- Re: PCI Audit Brad Judy (Apr 27)
- Re: PCI Audit Ronald King (Apr 27)
- Re: PCI Audit Gerrit Bos (Apr 27)
- Re: PCI Audit Gerrit Bos (Apr 27)
- Re: PCI Audit Charles Curtis (Apr 27)
- Re: PCI Audit Ronald King (Apr 27)
- Re: PCI Audit Brad Judy (Apr 30)
- Re: PCI Audit Penn, Blake C (Apr 30)
- Re: PCI Audit Ronald King (Apr 27)
- Re: PCI Audit Ray Phillips (Apr 30)
- Re: PCI Audit Fisher, Matthew C (May 21)
- Re: PCI Audit Ronald King (May 22)
- Re: PCI Audit Dennis Bolton (May 22)
- Re: PCI Audit Ronald King (May 22)