Tuesday, January 12, 2010

PCI Security Policies and You - Part 2


Above is a table. It's kind of hard to read, but if you click on it you should be able to get a larger view of it. Security poicy requirements affect to some degree every campus merchant the table maps the PCI requirement needing a written policy to the respective Self Assessment Questionnaire (SAQ).

For example, a merchant that outsources its processing and qualifies to SAQ A has to implement policies for managing their service provider(s) (12.8) and for handling the paper media with cardholder data (9.7, 9.9, and 9.10). I decided to include 3.1 in the table since to meet the relevant parts of requirement 9 you need to develop a data retention and disposal policy.

If you use another SAQ you have more policy work to do.

Your first option is to develop your security policies independently from scratch. This choice has the advantage of responding to your organization’s operations and business needs and culture.

Your second option is to search for models templates to give yourself a head start. This is the “Google is your friend” approach. If you decide to follow this approach, three sites in particular merit your attention:

  • Educause has a Data Incident Notification Toolkit.
One problem with any of these resources is that the examples may not match your school's exact needs. Another problem is that none is designed to be PCI-specific, and none really covers all the requirements. That is, you will still have a lot of work to do modifying whatever you download to fit your PCI needs.

The good news is that many schools view their security policies as public information. As a Higher Ed institution, you are part of a very collaborative group of people. Therefore, some of the best potential examples may be available to you on the web.

But if you can't find good examples, there may still be an option.

That will be the subject of Part 3.

No comments:

Post a Comment