PCI DSS University-Wide Compliance

We have independent questionnaires from all merchants that roll up into university-wide questionnaires (only these end up being accessible to outside parties). We have split up merchants based on payment gateway and means of accepting credit cards (POS versus SAQ-D).

Ideally, we try to meet with each merchant individually, but staff resources are an issue. I have 30% time allocated to compliance in general (not just PCIDSS) and when I was tossed into PCI compliance, I took me a couple of months just to meet individually with SAQ-D merchants and analyze what we had on campus. Needless to say that cannot be repeated each year without sacrificing other projects.

I think SAQ-A and SAQ-B can be summarized easier than SAQ-D because our SAQ-D merchants have a multitude of software solutions, payment gateways etc. So I hope to get additional staff to work with these merchants and do annual visits re compliance. I would not want to assess SAQ-D compliance without looking at each individual questionnaire from merchants and reserve time to call and discuss issues. We simply have too much variety of simply answer a university questionnaire without relying on individual questionnaires. One battle I am fighting is the desire that I provide answers to specific sections and I have been resistant to do that because I don’t want any changes to slide through because specific sections got pre-filled answers.

For SAQ-B we require analog lines and for SAQ-A we do check on staff regarding whether any credit cards were handled in person. This creates some uniformity, especially regarding risk.

Hi Carlos,

I’ve completed a few reviews of PCI DSS compliance and I try to follow this process:

1.       Have they completed their Self Assessment Questionnaire (and there are multiple types, based on the processing environment) ? They must do so annually, and if they haven’t they can’t KNOW they are compliant.

2.       If they have completed their SAQ, who completed it? Do they have visibility into ALL areas conducting PCI processing (Alumni, athletics, events, etc.)?

3.       If they have completed their SAQ and identified areas where mitigating controls are required, who is following-up on those changes to ensure they happen?

4.       Does the campus have a process for reviewing existing PCI processing and approving new services or changes to existing processes?

5.       Are these procedures publicized and employees trained on their practices?

6.       Do you have a campus-wide Information Security Policy? This is a PCI DSS requirement, regardless of the processing environment.

7.       Does the campus (Or each decentralized area) have written PCI procedures for both electronic copies and hardcopies?

8.       If you’ve identified your PCI DSS environments and segmented them you are allowed to submit a separate SAQ for each environment.

PCI DSS is a compliance quagmire. Most schools try to keep PCI DSS processing off their campus networks because, by having the activity on the campus network, the entire campus network comes into scope for PCI DSS.

Two Resources:

https://www.pcisecuritystandards.org/security_standards/

and

http://pciguru.wordpress.com/

Good Luck and feel free to call my cell if you have specific questions.

Dan Sarazen

Senior IT Auditor

The Boston Consortium for Higher Education

Brandeis University, Mailstop 110

Phone: 781-736-8703

Cell:     781-296-4444

Fax:     781-736-8706

I wouldn’t say “assure”, but to attest/track/make progress, I’ve used, for each business area/payment processing/CDE-handling area, the following: