Main Nav

Hello All,

 

For those PCI DSS Compliance Gurus, how do you assure University-Wide PCI DSS compliance?

 

  1. Do you ensure PCI DSS compliance for each merchant ID individually or do you take all merchant IDs for the University?
  2. If individually, do you ONLY consider those transactions for compliance purposes?
  3. How do you ensure/assure compliance for your University as a whole?  

I would really appreciate any feedback I can get from experts as Audit Committees have a tendency to ask basic compliance questions and request global assurance.

 

I would also appreciate approches used at your University to address global compliance assurance or other general opinions, comments, etc.

 

Carlos

 

Carlos S. Lobato, CISA, CIA

IT Compliance Officer

 

New Mexico State University

Information and Communication Technologies

MSC 3AT PO Box 30001

Las Cruces, NM  88003

 

Phone (575) 646-5902

Fax (575) 646-5278

Comments

We have independent questionnaires from all merchants that roll up into university-wide questionnaires (only these end up being accessible to outside parties). We have split up merchants based on payment gateway and means of accepting credit cards (POS versus SAQ-D).

 

Ideally, we try to meet with each merchant individually, but staff resources are an issue. I have 30% time allocated to compliance in general (not just PCIDSS) and when I was tossed into PCI compliance, I took me a couple of months just to meet individually with SAQ-D merchants and analyze what we had on campus. Needless to say that cannot be repeated each year without sacrificing other projects.

 

I think SAQ-A and SAQ-B can be summarized easier than SAQ-D because our SAQ-D merchants have a multitude of software solutions, payment gateways etc. So I hope to get additional staff to work with these merchants and do annual visits re compliance. I would not want to assess SAQ-D compliance without looking at each individual questionnaire from merchants and reserve time to call and discuss issues. We simply have too much variety of simply answer a university questionnaire without relying on individual questionnaires. One battle I am fighting is the desire that I provide answers to specific sections and I have been resistant to do that because I don’t want any changes to slide through because specific sections got pre-filled answers.

 

For SAQ-B we require analog lines and for SAQ-A we do check on staff regarding whether any credit cards were handled in person. This creates some uniformity, especially regarding risk.

 

 

 

Hi Carlos,

 

I’ve completed a few reviews of PCI DSS compliance and I try to follow this process:

 

1.       Have they completed their Self Assessment Questionnaire (and there are multiple types, based on the processing environment) ? They must do so annually, and if they haven’t they can’t KNOW they are compliant.

2.       If they have completed their SAQ, who completed it? Do they have visibility into ALL areas conducting PCI processing (Alumni, athletics, events, etc.)?

3.       If they have completed their SAQ and identified areas where mitigating controls are required, who is following-up on those changes to ensure they happen?

4.       Does the campus have a process for reviewing existing PCI processing and approving new services or changes to existing processes?

5.       Are these procedures publicized and employees trained on their practices?

6.       Do you have a campus-wide Information Security Policy? This is a PCI DSS requirement, regardless of the processing environment.

7.       Does the campus (Or each decentralized area) have written PCI procedures for both electronic copies and hardcopies?

8.       If you’ve identified your PCI DSS environments and segmented them you are allowed to submit a separate SAQ for each environment.

 

PCI DSS is a compliance quagmire. Most schools try to keep PCI DSS processing off their campus networks because, by having the activity on the campus network, the entire campus network comes into scope for PCI DSS.

 

Two Resources:

https://www.pcisecuritystandards.org/security_standards/

 

and

 

http://pciguru.wordpress.com/

 

Good Luck and feel free to call my cell if you have specific questions.

 

 

Dan Sarazen

Senior IT Auditor

The Boston Consortium for Higher Education

Brandeis University, Mailstop 110

Phone: 781-736-8703

Cell:     781-296-4444

Fax:     781-736-8706

 

 

 

 

I wouldn’t say “assure”, but to attest/track/make progress, I’ve used, for each business area/payment processing/CDE-handling area, the following:

 

 

Yes

No

Percentage Complete or Count

Gap SAQ

 

 

 

Institution

 

 

 

Campus

 

 

 

Latest Campus Discussion

 

 

 

Last SAQ Completed

 

 

 

 

 

 

 

Min

Max

Avg

SAQ Age (days)

 

 

 

 

 

 

Select Merchant Level Goal

 

 

 

Achieve Validation Type goal

 

 

 

Confirmed Validation Type Status

 

 

 

Reduce scanning scope to applicable systems

 

 

 

Latest ASV Scan

 

 

 

PCI Island Defined

 

 

 

PCI Island Implemented

 

 

 

Internal Scans Configured

 

 

 

Business Area

 

 

 

Validation Type

 

 

 

Effective Validation Type

 

 

 

POS Manufacturer

 

 

 

POS Version

 

 

 

POS Compliant

 

 

 

In-scope Application Vendor

 

 

 

Application Version

 

 

 

In-scope applications PA-DSS validated

 

 

 

Concessionaire environment present?

 

 

 

Concessionaire name

 

 

 

Concessionaire environment externalized

 

 

 

Outsource Agreements

 

 

 

Service Provider

 

 

 

Service Provider Agreements

 

 

 

Service Provider Applications

 

 

 

Service Provider Validated

 

 

 

Local Policies developed

 

 

 

Employee Background Checks Performed (SAQ-D Only)

 

 

 

Acquiring Bank(s)

 

 

 

# Merchant agreements

 

 

 

Merchant ID Code

 

 

 

Bank  requesting merchant compliance reporting?

 

 

 

Contracted QSA Firm

 

 

 

 

 

Hello All,

 

For those PCI DSS Compliance Gurus, how do you assure University-Wide PCI DSS compliance?

 

  1. Do you ensure PCI DSS compliance for each merchant ID individually or do you take all merchant IDs for the University?
  2. If individually, do you ONLY consider those transactions for compliance purposes?
  3. How do you ensure/assure compliance for your University as a whole?  

I would really appreciate any feedback I can get from experts as Audit Committees have a tendency to ask basic compliance questions and request global assurance.

 

I would also appreciate approches used at your University to address global compliance assurance or other general opinions, comments, etc.

 

Carlos

 

Carlos S. Lobato, CISA, CIA

IT Compliance Officer

 

New Mexico State University

Information and Communication Technologies

MSC 3AT PO Box 30001

Las Cruces, NM  88003

 

Phone (575) 646-5902

Fax (575) 646-5278

We have independent questionnaires from all merchants that roll up into university-wide questionnaires (only these end up being accessible to outside parties). We have split up merchants based on payment gateway and means of accepting credit cards (POS versus SAQ-D).

 

Ideally, we try to meet with each merchant individually, but staff resources are an issue. I have 30% time allocated to compliance in general (not just PCIDSS) and when I was tossed into PCI compliance, I took me a couple of months just to meet individually with SAQ-D merchants and analyze what we had on campus. Needless to say that cannot be repeated each year without sacrificing other projects.

 

I think SAQ-A and SAQ-B can be summarized easier than SAQ-D because our SAQ-D merchants have a multitude of software solutions, payment gateways etc. So I hope to get additional staff to work with these merchants and do annual visits re compliance. I would not want to assess SAQ-D compliance without looking at each individual questionnaire from merchants and reserve time to call and discuss issues. We simply have too much variety of simply answer a university questionnaire without relying on individual questionnaires. One battle I am fighting is the desire that I provide answers to specific sections and I have been resistant to do that because I don’t want any changes to slide through because specific sections got pre-filled answers.

 

For SAQ-B we require analog lines and for SAQ-A we do check on staff regarding whether any credit cards were handled in person. This creates some uniformity, especially regarding risk.

 

 

 

Hi Carlos,

 

I’ve completed a few reviews of PCI DSS compliance and I try to follow this process:

 

1.       Have they completed their Self Assessment Questionnaire (and there are multiple types, based on the processing environment) ? They must do so annually, and if they haven’t they can’t KNOW they are compliant.

2.       If they have completed their SAQ, who completed it? Do they have visibility into ALL areas conducting PCI processing (Alumni, athletics, events, etc.)?

3.       If they have completed their SAQ and identified areas where mitigating controls are required, who is following-up on those changes to ensure they happen?

4.       Does the campus have a process for reviewing existing PCI processing and approving new services or changes to existing processes?

5.       Are these procedures publicized and employees trained on their practices?

6.       Do you have a campus-wide Information Security Policy? This is a PCI DSS requirement, regardless of the processing environment.

7.       Does the campus (Or each decentralized area) have written PCI procedures for both electronic copies and hardcopies?

8.       If you’ve identified your PCI DSS environments and segmented them you are allowed to submit a separate SAQ for each environment.

 

PCI DSS is a compliance quagmire. Most schools try to keep PCI DSS processing off their campus networks because, by having the activity on the campus network, the entire campus network comes into scope for PCI DSS.

 

Two Resources:

https://www.pcisecuritystandards.org/security_standards/

 

and

 

http://pciguru.wordpress.com/

 

Good Luck and feel free to call my cell if you have specific questions.

 

 

Dan Sarazen

Senior IT Auditor

The Boston Consortium for Higher Education

Brandeis University, Mailstop 110

Phone: 781-736-8703

Cell:     781-296-4444

Fax:     781-736-8706

 

 

 

 

I wouldn’t say “assure”, but to attest/track/make progress, I’ve used, for each business area/payment processing/CDE-handling area, the following:

 

 

Yes

No

Percentage Complete or Count

Gap SAQ

 

 

 

Institution

 

 

 

Campus

 

 

 

Latest Campus Discussion

 

 

 

Last SAQ Completed

 

 

 

 

 

 

 

Min

Max

Avg

SAQ Age (days)

 

 

 

 

 

 

Select Merchant Level Goal

 

 

 

Achieve Validation Type goal

 

 

 

Confirmed Validation Type Status

 

 

 

Reduce scanning scope to applicable systems

 

 

 

Latest ASV Scan

 

 

 

PCI Island Defined

 

 

 

PCI Island Implemented

 

 

 

Internal Scans Configured

 

 

 

Business Area

 

 

 

Validation Type

 

 

 

Effective Validation Type

 

 

 

POS Manufacturer

 

 

 

POS Version

 

 

 

POS Compliant

 

 

 

In-scope Application Vendor

 

 

 

Application Version

 

 

 

In-scope applications PA-DSS validated

 

 

 

Concessionaire environment present?

 

 

 

Concessionaire name

 

 

 

Concessionaire environment externalized

 

 

 

Outsource Agreements

 

 

 

Service Provider

 

 

 

Service Provider Agreements

 

 

 

Service Provider Applications

 

 

 

Service Provider Validated

 

 

 

Local Policies developed

 

 

 

Employee Background Checks Performed (SAQ-D Only)

 

 

 

Acquiring Bank(s)

 

 

 

# Merchant agreements

 

 

 

Merchant ID Code

 

 

 

Bank  requesting merchant compliance reporting?

 

 

 

Contracted QSA Firm

 

 

 

 

 

I handle PCI DSS compliance for each merchant ID individually. Oberlin College is a small organization and we only have about 10 accounts. I believe this is the best way to handle this for a small set of merchant accounts. Barron Barron Hulver Director of Networking, Operations, and Systems Center for Information Technology Oberlin College 148 West College Street Oberlin, OH 44074 440-775-8702 Barron.J.Hulver@oberlin.edu http://www2.oberlin.edu/staff/bhulver/

Hello All,

 

For those PCI DSS Compliance Gurus, how do you assure University-Wide PCI DSS compliance?

 

  1. Do you ensure PCI DSS compliance for each merchant ID individually or do you take all merchant IDs for the University?
  2. If individually, do you ONLY consider those transactions for compliance purposes?
  3. How do you ensure/assure compliance for your University as a whole?  

I would really appreciate any feedback I can get from experts as Audit Committees have a tendency to ask basic compliance questions and request global assurance.

 

I would also appreciate approches used at your University to address global compliance assurance or other general opinions, comments, etc.

 

Carlos

 

Carlos S. Lobato, CISA, CIA

IT Compliance Officer

 

New Mexico State University

Information and Communication Technologies

MSC 3AT PO Box 30001

Las Cruces, NM  88003

 

Phone (575) 646-5902

Fax (575) 646-5278

We have independent questionnaires from all merchants that roll up into university-wide questionnaires (only these end up being accessible to outside parties). We have split up merchants based on payment gateway and means of accepting credit cards (POS versus SAQ-D).

 

Ideally, we try to meet with each merchant individually, but staff resources are an issue. I have 30% time allocated to compliance in general (not just PCIDSS) and when I was tossed into PCI compliance, I took me a couple of months just to meet individually with SAQ-D merchants and analyze what we had on campus. Needless to say that cannot be repeated each year without sacrificing other projects.

 

I think SAQ-A and SAQ-B can be summarized easier than SAQ-D because our SAQ-D merchants have a multitude of software solutions, payment gateways etc. So I hope to get additional staff to work with these merchants and do annual visits re compliance. I would not want to assess SAQ-D compliance without looking at each individual questionnaire from merchants and reserve time to call and discuss issues. We simply have too much variety of simply answer a university questionnaire without relying on individual questionnaires. One battle I am fighting is the desire that I provide answers to specific sections and I have been resistant to do that because I don’t want any changes to slide through because specific sections got pre-filled answers.

 

For SAQ-B we require analog lines and for SAQ-A we do check on staff regarding whether any credit cards were handled in person. This creates some uniformity, especially regarding risk.

 

 

 

Hi Carlos,

 

I’ve completed a few reviews of PCI DSS compliance and I try to follow this process:

 

1.       Have they completed their Self Assessment Questionnaire (and there are multiple types, based on the processing environment) ? They must do so annually, and if they haven’t they can’t KNOW they are compliant.

2.       If they have completed their SAQ, who completed it? Do they have visibility into ALL areas conducting PCI processing (Alumni, athletics, events, etc.)?

3.       If they have completed their SAQ and identified areas where mitigating controls are required, who is following-up on those changes to ensure they happen?

4.       Does the campus have a process for reviewing existing PCI processing and approving new services or changes to existing processes?

5.       Are these procedures publicized and employees trained on their practices?

6.       Do you have a campus-wide Information Security Policy? This is a PCI DSS requirement, regardless of the processing environment.

7.       Does the campus (Or each decentralized area) have written PCI procedures for both electronic copies and hardcopies?

8.       If you’ve identified your PCI DSS environments and segmented them you are allowed to submit a separate SAQ for each environment.

 

PCI DSS is a compliance quagmire. Most schools try to keep PCI DSS processing off their campus networks because, by having the activity on the campus network, the entire campus network comes into scope for PCI DSS.

 

Two Resources:

https://www.pcisecuritystandards.org/security_standards/

 

and

 

http://pciguru.wordpress.com/

 

Good Luck and feel free to call my cell if you have specific questions.

 

 

Dan Sarazen

Senior IT Auditor

The Boston Consortium for Higher Education

Brandeis University, Mailstop 110

Phone: 781-736-8703

Cell:     781-296-4444

Fax:     781-736-8706

 

 

 

 

I wouldn’t say “assure”, but to attest/track/make progress, I’ve used, for each business area/payment processing/CDE-handling area, the following:

 

 

Yes

No

Percentage Complete or Count

Gap SAQ

 

 

 

Institution

 

 

 

Campus

 

 

 

Latest Campus Discussion

 

 

 

Last SAQ Completed

 

 

 

 

 

 

 

Min

Max

Avg

SAQ Age (days)

 

 

 

 

 

 

Select Merchant Level Goal

 

 

 

Achieve Validation Type goal

 

 

 

Confirmed Validation Type Status

 

 

 

Reduce scanning scope to applicable systems

 

 

 

Latest ASV Scan

 

 

 

PCI Island Defined

 

 

 

PCI Island Implemented

 

 

 

Internal Scans Configured

 

 

 

Business Area

 

 

 

Validation Type

 

 

 

Effective Validation Type

 

 

 

POS Manufacturer

 

 

 

POS Version

 

 

 

POS Compliant

 

 

 

In-scope Application Vendor

 

 

 

Application Version

 

 

 

In-scope applications PA-DSS validated

 

 

 

Concessionaire environment present?

 

 

 

Concessionaire name

 

 

 

Concessionaire environment externalized

 

 

 

Outsource Agreements

 

 

 

Service Provider

 

 

 

Service Provider Agreements

 

 

 

Service Provider Applications

 

 

 

Service Provider Validated

 

 

 

Local Policies developed

 

 

 

Employee Background Checks Performed (SAQ-D Only)

 

 

 

Acquiring Bank(s)

 

 

 

# Merchant agreements

 

 

 

Merchant ID Code

 

 

 

Bank  requesting merchant compliance reporting?

 

 

 

Contracted QSA Firm

 

 

 

 

 

I handle PCI DSS compliance for each merchant ID individually. Oberlin College is a small organization and we only have about 10 accounts. I believe this is the best way to handle this for a small set of merchant accounts. Barron Barron Hulver Director of Networking, Operations, and Systems Center for Information Technology Oberlin College 148 West College Street Oberlin, OH 44074 440-775-8702 Barron.J.Hulver@oberlin.edu http://www2.oberlin.edu/staff/bhulver/

Hello All,

 

For those PCI DSS Compliance Gurus, how do you assure University-Wide PCI DSS compliance?

 

  1. Do you ensure PCI DSS compliance for each merchant ID individually or do you take all merchant IDs for the University?
  2. If individually, do you ONLY consider those transactions for compliance purposes?
  3. How do you ensure/assure compliance for your University as a whole?  

I would really appreciate any feedback I can get from experts as Audit Committees have a tendency to ask basic compliance questions and request global assurance.

 

I would also appreciate approches used at your University to address global compliance assurance or other general opinions, comments, etc.

 

Carlos

 

Carlos S. Lobato, CISA, CIA

IT Compliance Officer

 

New Mexico State University

Information and Communication Technologies

MSC 3AT PO Box 30001

Las Cruces, NM  88003

 

Phone (575) 646-5902

Fax (575) 646-5278

We have independent questionnaires from all merchants that roll up into university-wide questionnaires (only these end up being accessible to outside parties). We have split up merchants based on payment gateway and means of accepting credit cards (POS versus SAQ-D).

 

Ideally, we try to meet with each merchant individually, but staff resources are an issue. I have 30% time allocated to compliance in general (not just PCIDSS) and when I was tossed into PCI compliance, I took me a couple of months just to meet individually with SAQ-D merchants and analyze what we had on campus. Needless to say that cannot be repeated each year without sacrificing other projects.

 

I think SAQ-A and SAQ-B can be summarized easier than SAQ-D because our SAQ-D merchants have a multitude of software solutions, payment gateways etc. So I hope to get additional staff to work with these merchants and do annual visits re compliance. I would not want to assess SAQ-D compliance without looking at each individual questionnaire from merchants and reserve time to call and discuss issues. We simply have too much variety of simply answer a university questionnaire without relying on individual questionnaires. One battle I am fighting is the desire that I provide answers to specific sections and I have been resistant to do that because I don’t want any changes to slide through because specific sections got pre-filled answers.

 

For SAQ-B we require analog lines and for SAQ-A we do check on staff regarding whether any credit cards were handled in person. This creates some uniformity, especially regarding risk.

 

 

 

Hi Carlos,

 

I’ve completed a few reviews of PCI DSS compliance and I try to follow this process:

 

1.       Have they completed their Self Assessment Questionnaire (and there are multiple types, based on the processing environment) ? They must do so annually, and if they haven’t they can’t KNOW they are compliant.

2.       If they have completed their SAQ, who completed it? Do they have visibility into ALL areas conducting PCI processing (Alumni, athletics, events, etc.)?

3.       If they have completed their SAQ and identified areas where mitigating controls are required, who is following-up on those changes to ensure they happen?

4.       Does the campus have a process for reviewing existing PCI processing and approving new services or changes to existing processes?

5.       Are these procedures publicized and employees trained on their practices?

6.       Do you have a campus-wide Information Security Policy? This is a PCI DSS requirement, regardless of the processing environment.

7.       Does the campus (Or each decentralized area) have written PCI procedures for both electronic copies and hardcopies?

8.       If you’ve identified your PCI DSS environments and segmented them you are allowed to submit a separate SAQ for each environment.

 

PCI DSS is a compliance quagmire. Most schools try to keep PCI DSS processing off their campus networks because, by having the activity on the campus network, the entire campus network comes into scope for PCI DSS.

 

Two Resources:

https://www.pcisecuritystandards.org/security_standards/

 

and

 

http://pciguru.wordpress.com/

 

Good Luck and feel free to call my cell if you have specific questions.

 

 

Dan Sarazen

Senior IT Auditor

The Boston Consortium for Higher Education

Brandeis University, Mailstop 110

Phone: 781-736-8703

Cell:     781-296-4444

Fax:     781-736-8706

 

 

 

 

I wouldn’t say “assure”, but to attest/track/make progress, I’ve used, for each business area/payment processing/CDE-handling area, the following:

 

 

Yes

No

Percentage Complete or Count

Gap SAQ

 

 

 

Institution

 

 

 

Campus

 

 

 

Latest Campus Discussion

 

 

 

Last SAQ Completed

 

 

 

 

 

 

 

Min

Max

Avg

SAQ Age (days)

 

 

 

 

 

 

Select Merchant Level Goal

 

 

 

Achieve Validation Type goal

 

 

 

Confirmed Validation Type Status

 

 

 

Reduce scanning scope to applicable systems

 

 

 

Latest ASV Scan

 

 

 

PCI Island Defined

 

 

 

PCI Island Implemented

 

 

 

Internal Scans Configured

 

 

 

Business Area

 

 

 

Validation Type

 

 

 

Effective Validation Type

 

 

 

POS Manufacturer

 

 

 

POS Version

 

 

 

POS Compliant

 

 

 

In-scope Application Vendor

 

 

 

Application Version

 

 

 

In-scope applications PA-DSS validated

 

 

 

Concessionaire environment present?

 

 

 

Concessionaire name

 

 

 

Concessionaire environment externalized

 

 

 

Outsource Agreements

 

 

 

Service Provider

 

 

 

Service Provider Agreements

 

 

 

Service Provider Applications

 

 

 

Service Provider Validated

 

 

 

Local Policies developed

 

 

 

Employee Background Checks Performed (SAQ-D Only)

 

 

 

Acquiring Bank(s)

 

 

 

# Merchant agreements

 

 

 

Merchant ID Code

 

 

 

Bank  requesting merchant compliance reporting?

 

 

 

Contracted QSA Firm

 

 

 

 

 

I handle PCI DSS compliance for each merchant ID individually. Oberlin College is a small organization and we only have about 10 accounts. I believe this is the best way to handle this for a small set of merchant accounts. Barron Barron Hulver Director of Networking, Operations, and Systems Center for Information Technology Oberlin College 148 West College Street Oberlin, OH 44074 440-775-8702 Barron.J.Hulver@oberlin.edu http://www2.oberlin.edu/staff/bhulver/

Hello All,

 

For those PCI DSS Compliance Gurus, how do you assure University-Wide PCI DSS compliance?

 

  1. Do you ensure PCI DSS compliance for each merchant ID individually or do you take all merchant IDs for the University?
  2. If individually, do you ONLY consider those transactions for compliance purposes?
  3. How do you ensure/assure compliance for your University as a whole?  

I would really appreciate any feedback I can get from experts as Audit Committees have a tendency to ask basic compliance questions and request global assurance.

 

I would also appreciate approches used at your University to address global compliance assurance or other general opinions, comments, etc.

 

Carlos

 

Carlos S. Lobato, CISA, CIA

IT Compliance Officer

 

New Mexico State University

Information and Communication Technologies

MSC 3AT PO Box 30001

Las Cruces, NM  88003

 

Phone (575) 646-5902

Fax (575) 646-5278

We have independent questionnaires from all merchants that roll up into university-wide questionnaires (only these end up being accessible to outside parties). We have split up merchants based on payment gateway and means of accepting credit cards (POS versus SAQ-D).

 

Ideally, we try to meet with each merchant individually, but staff resources are an issue. I have 30% time allocated to compliance in general (not just PCIDSS) and when I was tossed into PCI compliance, I took me a couple of months just to meet individually with SAQ-D merchants and analyze what we had on campus. Needless to say that cannot be repeated each year without sacrificing other projects.

 

I think SAQ-A and SAQ-B can be summarized easier than SAQ-D because our SAQ-D merchants have a multitude of software solutions, payment gateways etc. So I hope to get additional staff to work with these merchants and do annual visits re compliance. I would not want to assess SAQ-D compliance without looking at each individual questionnaire from merchants and reserve time to call and discuss issues. We simply have too much variety of simply answer a university questionnaire without relying on individual questionnaires. One battle I am fighting is the desire that I provide answers to specific sections and I have been resistant to do that because I don’t want any changes to slide through because specific sections got pre-filled answers.

 

For SAQ-B we require analog lines and for SAQ-A we do check on staff regarding whether any credit cards were handled in person. This creates some uniformity, especially regarding risk.

 

 

 

Hi Carlos,

 

I’ve completed a few reviews of PCI DSS compliance and I try to follow this process:

 

1.       Have they completed their Self Assessment Questionnaire (and there are multiple types, based on the processing environment) ? They must do so annually, and if they haven’t they can’t KNOW they are compliant.

2.       If they have completed their SAQ, who completed it? Do they have visibility into ALL areas conducting PCI processing (Alumni, athletics, events, etc.)?

3.       If they have completed their SAQ and identified areas where mitigating controls are required, who is following-up on those changes to ensure they happen?

4.       Does the campus have a process for reviewing existing PCI processing and approving new services or changes to existing processes?

5.       Are these procedures publicized and employees trained on their practices?

6.       Do you have a campus-wide Information Security Policy? This is a PCI DSS requirement, regardless of the processing environment.

7.       Does the campus (Or each decentralized area) have written PCI procedures for both electronic copies and hardcopies?

8.       If you’ve identified your PCI DSS environments and segmented them you are allowed to submit a separate SAQ for each environment.

 

PCI DSS is a compliance quagmire. Most schools try to keep PCI DSS processing off their campus networks because, by having the activity on the campus network, the entire campus network comes into scope for PCI DSS.

 

Two Resources:

https://www.pcisecuritystandards.org/security_standards/

 

and

 

http://pciguru.wordpress.com/

 

Good Luck and feel free to call my cell if you have specific questions.

 

 

Dan Sarazen

Senior IT Auditor

The Boston Consortium for Higher Education

Brandeis University, Mailstop 110

Phone: 781-736-8703

Cell:     781-296-4444

Fax:     781-736-8706

 

 

 

 

I wouldn’t say “assure”, but to attest/track/make progress, I’ve used, for each business area/payment processing/CDE-handling area, the following:

 

 

Yes

No

Percentage Complete or Count

Gap SAQ

 

 

 

Institution

 

 

 

Campus

 

 

 

Latest Campus Discussion

 

 

 

Last SAQ Completed

 

 

 

 

 

 

 

Min

Max

Avg

SAQ Age (days)

 

 

 

 

 

 

Select Merchant Level Goal

 

 

 

Achieve Validation Type goal

 

 

 

Confirmed Validation Type Status

 

 

 

Reduce scanning scope to applicable systems

 

 

 

Latest ASV Scan

 

 

 

PCI Island Defined

 

 

 

PCI Island Implemented

 

 

 

Internal Scans Configured

 

 

 

Business Area

 

 

 

Validation Type

 

 

 

Effective Validation Type

 

 

 

POS Manufacturer

 

 

 

POS Version

 

 

 

POS Compliant

 

 

 

In-scope Application Vendor

 

 

 

Application Version

 

 

 

In-scope applications PA-DSS validated

 

 

 

Concessionaire environment present?

 

 

 

Concessionaire name

 

 

 

Concessionaire environment externalized

 

 

 

Outsource Agreements

 

 

 

Service Provider

 

 

 

Service Provider Agreements

 

 

 

Service Provider Applications

 

 

 

Service Provider Validated

 

 

 

Local Policies developed

 

 

 

Employee Background Checks Performed (SAQ-D Only)

 

 

 

Acquiring Bank(s)

 

 

 

# Merchant agreements

 

 

 

Merchant ID Code

 

 

 

Bank  requesting merchant compliance reporting?

 

 

 

Contracted QSA Firm

 

 

 

 

 

I handle PCI DSS compliance for each merchant ID individually. Oberlin College is a small organization and we only have about 10 accounts. I believe this is the best way to handle this for a small set of merchant accounts. Barron Barron Hulver Director of Networking, Operations, and Systems Center for Information Technology Oberlin College 148 West College Street Oberlin, OH 44074 440-775-8702 Barron.J.Hulver@oberlin.edu http://www2.oberlin.edu/staff/bhulver/
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.