Main Nav

Hi All,

 

I’ve been asked to conduct a PCI DSS review in 40 hours. Anyone think that’s responsibly doable?

 

Also, does anyone have a PCI DSS Audit plan?

 

Many Thanks!

 

Dan Sarazen

Senior IT Auditor

The Boston Consortium for Higher Education

Brandeis University, Mailstop 110

Phone: 781-736-8703

Cell:     781-296-4444

Fax:     781-736-8706

 

Comments

Message from aperry@murraystate.edu

Do you mean from the ground up? Has your organization begun/completed PCI compliance previously? I'm at the Treasury Institute's PCI workshop this week and I can say, unless you have very few Merchant ID's, and they're all SAQ A or B, then no. You won't complete it in 40 hours. My colleagues at the University of Kentucky have been working toward PCI compliance for 4 years. They're about 85% done.

Sent from my phone.

Drew Perry
Security Analyst
Murray State University
(270) 809-4414
aperry@murraystate.edu

On Apr 24, 2012 12:31 PM, "Dan Sarazen" <dsarazen@brandeis.edu> wrote:

Hi All,

 

I’ve been asked to conduct a PCI DSS review in 40 hours. Anyone think that’s responsibly doable?

 

Also, does anyone have a PCI DSS Audit plan?

 

Many Thanks!

 

Dan Sarazen

Senior IT Auditor

The Boston Consortium for Higher Education

Brandeis University, Mailstop 110

Phone: 781-736-8703

Cell:     781-296-4444

Fax:     781-736-8706

 

I agree that no solid review for PCIDSS can be done in a week. When I started on a PCIDSS review and focused just on the high risk merchants (that completed SAQ-D), I scheduled 3 hours to meet initially with everyone of these merchants and in several cases had follow-up meetings to go over workflow, environment and security controls.

These meetings alone took more than 2 weeks and I am not nearly done with the SAQ-D group and have not really started on the other groups.

If you have done a PCI review previously and need to assess PCIDSS compliance on a focused area due to a recent change, you can probably complete a very focus review in 40hours, but it will not cover all aspects of PCIDSS on the merchants in your environment.


Eva Lorenz, Ph.D., J.D., ITILv3F
ITS Security
UNC Chapel Hill
Hi Dan,
 
Of course you could do something in 40 hours but if that includes planning, fieldwork and reporting, I think the value it would add would be minimal.
 
We have done several PCI reviews of the last few years including governance and project management reviews of the PCI initiative and compliance reviews. They ranged from about 10 days to 40 days.
 
I would be happy to set up a conference call with you to share with you what we covered. Also, I am going to an ISACA presentation on emerging PCI trends today and will share the presentation materials if you are interested.
 
cheers,
Jen
 
It depends.

Brandeis has a policy that cardholder data must not be stored, transmitted, or processed on University systems. Given recent legislation in Massachusetts, this is a good plan.

PCI has made the full ROC questionnaire available. You ought to be able to cover the relevant parts in 40 hours. If you find that the outsourcing policy is not effectively documented or enforced, then fail the audit and start over with an assessment, as other commenters in this thread have assumed; but if the policy holds, then it's mostly an exercise of ticking off boxes for policy and awareness training.
Message from jon@network-plumbers.com

If there is a breach at a member institution (I presume the audit is for one of the consortium members), you have to assume that they will be sued and the email you posted to this list will be found in discovery. That email will be a great find for the attorney who will attempt to use it (I don't mean to suggest you aren't qualified, I have no idea if you are and I'm certainly not qualified) as an indication that you were not qualified (and knew it) to perform the PCI DSS review and thus are liable for a portion of the damages. My advice is to bring in someone who has done this before (perhaps a list member has a suggestion of someone local? - we're local but we don't do this) at least for some advice. As others have pointed out, the scale is hugely relevant to the time involved and the scale of your consortium members is widely divergent. Good luck, Jon Young Senior Consultant Vantage Technology Consulting Group

Are you saying that nobody other than a formally certified pci compliance expert (consultant) should review, in anyway, pci controls?

On Apr 24, 2012 3:25 PM, "Jon Young" <jon@network-plumbers.com> wrote:
If there is a breach at a member institution (I presume the audit is
for one of the consortium members), you have to assume that they will
be sued and the email you posted to this list will be found in
discovery.  That email will be a great find for the attorney who will
attempt to use it (I don't mean to suggest you aren't qualified, I
have no idea if you are and I'm certainly not qualified) as an
indication that you were not qualified (and knew it) to perform the
PCI DSS review and thus are liable for a portion of the damages.
My advice is to bring in someone who has done this before (perhaps a
list member has a suggestion of someone local? - we're local but we
don't do this) at least for some advice.
As others have pointed out, the scale is hugely relevant to the time
involved and the scale of your consortium members is widely divergent.

Good luck,
Jon Young
Senior Consultant
Vantage Technology Consulting Group

Message from mjohnson@complyguardnetworks.com

Only a certified entity (QSA) can render expert opinion on satisfying the ROC.

 

There is also recommendation from the Council in various sections about separation of duties.

It requires a careful read.

 

Michael Johnson, CISSP, QSA, ASV

ComplyGuard Networks.

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dan Sarazen
Sent: Tuesday, April 24, 2012 5:16 PM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] PCI DSS Review - 40 Hours?

 

Are you saying that nobody other than a formally certified pci compliance expert (consultant) should review, in anyway, pci controls?

On Apr 24, 2012 3:25 PM, "Jon Young" <jon@network-plumbers.com> wrote:

If there is a breach at a member institution (I presume the audit is
for one of the consortium members), you have to assume that they will
be sued and the email you posted to this list will be found in
discovery.  That email will be a great find for the attorney who will
attempt to use it (I don't mean to suggest you aren't qualified, I
have no idea if you are and I'm certainly not qualified) as an
indication that you were not qualified (and knew it) to perform the
PCI DSS review and thus are liable for a portion of the damages.
My advice is to bring in someone who has done this before (perhaps a
list member has a suggestion of someone local? - we're local but we
don't do this) at least for some advice.
As others have pointed out, the scale is hugely relevant to the time
involved and the scale of your consortium members is widely divergent.

Good luck,
Jon Young
Senior Consultant
Vantage Technology Consulting Group

Message from win-hied@bradjudy.com

The original poster made no statements that this audit was the *only* effort they are making to ensure PCI compliance. It seems like quite an assumption to make from the information provided. Internal audits are done across industries for any number of regulations or compliance issues (HIPAA, SOX, etc) independent of the formal process of compliance management. Brad Judy -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jon Young Sent: Tuesday, April 24, 2012 1:16 PM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] PCI DSS Review - 40 Hours? If there is a breach at a member institution (I presume the audit is for one of the consortium members), you have to assume that they will be sued and the email you posted to this list will be found in discovery. That email will be a great find for the attorney who will attempt to use it (I don't mean to suggest you aren't qualified, I have no idea if you are and I'm certainly not qualified) as an indication that you were not qualified (and knew it) to perform the PCI DSS review and thus are liable for a portion of the damages. My advice is to bring in someone who has done this before (perhaps a list member has a suggestion of someone local? - we're local but we don't do this) at least for some advice. As others have pointed out, the scale is hugely relevant to the time involved and the scale of your consortium members is widely divergent. Good luck, Jon Young Senior Consultant Vantage Technology Consulting Group
Message from valdis.kletnieks@vt.edu

On Tue, 24 Apr 2012 21:28:56 -0000, Michael Johnson said: > Only a certified entity (QSA) can render expert opinion on satisfying the ROC. On the other hand, I think any IT professional who's been involved in a PCI DSS review is probably qualified to give non-expert opinion of the form "We sank 160 hours into it just to get started, and there's no way you're gonna do it in 40 unless you have a *really* limited scope in place". That, and I don't think anything said on this list would qualify as "expert opinion" in the legal sense, since everybody who posts an opinion here is doing so without knowing all the details of the original poster's situation.
In 40 hours, I think I would try to figure out how many locations take credit cards. How do they take them (analog terminal, wifi terminal, Ethernet terminal, computer with a web browser, ...). Then find out how many transactions a year your institution does, and are they all under one MID?  

That should let you know which merchant level you are, and what SAQ you need to fill out. There is still plenty of more work to do though. PCI SSC has a prioritized approach to PCI that is a good read, and reviewing the PCI DSS itself never hurts. 

I'm happy to chat more off list, if you like. 

Also as part of my two cents, I'd say don't let the non-edu members of the forum scare you with RoC and AoC talk. 

Chad

Sent from my iPad

Message from jon@network-plumbers.com

Dan, Of course not. And I'm not saying you should only (or that you need at all) use external paid consultants. What I am saying is that if this is your first time doing this (as many of us inferred from your original post) it would be wise to get help from someone who has done this before. That can be a consultant, someone else from your organization or a peer organization or elsewhere. This is true for many things but has particular value in something with a high likelihood of being litigated should something 'bad' happen. Jon
Hi Dan,
 
I think I would take the approach of doing what you can in 40 hours. Some of my initial work involved identifying transaction levels, which SAQ is most likely to apply, and running through the SAQ to identify where the University is or is not compliant. I used the CoBit 4.1 CMM as a tool for assigning a level of maturity for the specific PCI line items rather than a simple yes/no response. The goal of this exercise is to begin raising awareness for your executives about the risks and expected costs/effort of reaching compliance.  This will also provide an initial tool for measuring and prioritizing ongoing activity in meeting compliance requirements. 
 
The first response from your executive will be that you cannot possibly be correct in your assessment.  They will also be overwhelmed by the amount of detail and projected cost involved. In my experience, if you are persistent in presenting the best facts you can within your limited capability, the executive will recommend an external PCI assessment. This assessment will likely validate what you will have been reporting and may provide some options for reducing scope that you did not consider. 
 
In the intervening time you will hopefully be able to address some basic compliance requirements and mature the University's information security program.
 
Regards,
 
 
 
Hugh Burley
Thompson Rivers University
ITS - Senior Technology Coordinator
Information Security Officer
CISSP, CIPP/C, CISA
Security, Privacy, Audit
BCCOL - 222D
250-852-6351
 
>>> Dan Sarazen <dsarazen@BRANDEIS.EDU> 4/24/12 9:21 am >>>

Hi All,

I’ve been asked to conduct a PCI DSS review in 40 hours. Anyone think that’s responsibly doable?

Also, does anyone have a PCI DSS Audit plan?

Many Thanks!

Dan Sarazen

Senior IT Auditor

The Boston Consortium for Higher Education

Brandeis University, Mailstop 110

Phone: 781-736-8703

Cell: 781-296-4444

Fax: 781-736-8706

And if you ask more than one QSA, you'll get a variety of expert opinions to choose from!

If you're doing a PCI DSS review of an existing effort, and in one or two relatively constrained scopes, you can certainly get something put together that gets close. After all, a review for internal auditing purposes does not need the detail a QSA's attestation does. And as I'm hinting at above, QSAs all differ, because unfortunately PCI is still pretty much up to the individual interpreting the requirements. What satisfies one will not satisfy another. Focus instead on your PCI remediation efforts that realistically reduce the risk of breach, then go from there. Or rather, audit with that approach in mind--seek compliance to reduce risk, not to achieve compliance.

If you're trying to review *all* payment areas at an institution, you might want to either politely decline that request or suggest the time estimate be multiplied by 10 (to start) and put that on your next annual work plan.

Either way, it sounds like Jen's work plans may be useful for you, at least as a start.

-jth

On 24 Apr 2012, at 16:28 , Michael Johnson wrote:

Only a certified entity (QSA) can render expert opinion on satisfying the ROC.
 
There is also recommendation from the Council in various sections about separation of duties.
It requires a careful read.
 
Michael Johnson, CISSP, QSA, ASV
ComplyGuard Networks.
 
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dan Sarazen
Sent: Tuesday, April 24, 2012 5:16 PM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] PCI DSS Review - 40 Hours?
 

Are you saying that nobody other than a formally certified pci compliance expert (consultant) should review, in anyway, pci controls?

On Apr 24, 2012 3:25 PM, "Jon Young" <jon@network-plumbers.com> wrote:
If there is a breach at a member institution (I presume the audit is
for one of the consortium members), you have to assume that they will
be sued and the email you posted to this list will be found in
discovery.  That email will be a great find for the attorney who will
attempt to use it (I don't mean to suggest you aren't qualified, I
have no idea if you are and I'm certainly not qualified) as an
indication that you were not qualified (and knew it) to perform the
PCI DSS review and thus are liable for a portion of the damages.
My advice is to bring in someone who has done this before (perhaps a
list member has a suggestion of someone local? - we're local but we
don't do this) at least for some advice.
As others have pointed out, the scale is hugely relevant to the time
involved and the scale of your consortium members is widely divergent.

Good luck,
Jon Young
Senior Consultant
Vantage Technology Consulting Group

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.