|
|
 |
|
|
|
See if any of the following situations apply to you and your school. If so, we should talk. My contact information
is at the bottom of the page.
• Your acquirer (bank processor) is pressing you to be PCI compliant NOW.
The original deadline for PCI compliance was December 2005. In 2007, the card brands focused on getting their larger (Level
1-3) merchants compliant through a series of incentives and penalties. The focus now has shifted to Level 4 merchants which
includes many Higher Education institutions. There is a series of mandates (on this site) issued in October 2007 to address
Level 4 merchant compliance, and these mandates specifically identify universities as a high-risk merchant group. If your
processor is pressuring you, it is because they realize the importance of your institution becoming PCI compliant quickly.
There are financial and reputational risks to non-compliance. We should talk about organizing your team, gathering resources,
and developing an action plan to get your institution compliant.
• You know more about PCI than some of the QSAs you speak to.
Many schools leap to hire a QSA as a first step, and they are disappointed. This may not be the best way to start. First,
not all QSAs are created equal: while some have excellent credentials with IT and audit experience, while others are new to
PCI and the card business (see below). I suggest a better way to start is to talk to a PCI expert you can trust and who will
give you straight answers. Focus on limiting PCI scope and minimizing your compliance effort. Then if there are detailed
technical issues, retaining a QSA can be a great idea when you get to that point. Hiring one at the start can actually lead
to a missed opportunity to focus and reduce your compliance effort from the beginning.
• You are talking to a QSA, but either they don’t understand the card business or
they are new to Higher Education.
In 2007, the PCI Council trained and certified over 1,500 new QSAs. While all of them went through the same training and
passed a test, some bring more experience, knowledge, and expertise than others. You should have high expectations, and they
should be met. Interview carefully not just the firm but the specific individuals assigned to your school before making a
decision. You also may wish to retain me or another expert to provide the missing knowledge.
• Your acquirer told you to complete SAQ “D.”
I have seen this before. Your acquirer may not really understand your internal operations, so they opt for the easiest way
out – for them. By conducting a payments analysis (see below) and reducing your school’s PCI scope, we can go
back to your acquirer and make a case for filing one of the shorter SAQs. This step alone can save weeks or even months of
effort. Before you can take this step we need a comprehensive payments analysis, sometimes accompanied by changes to your
card acceptance practices.
• You would like a short-list of compliant service providers or acquirers that understand
the needs of your Higher Education institution.
While I am an independent consultant and I do not promote any products or services, I maintain close relationships with many
vendors and bank acquirers active in the Higher Education market. Using my knowledge and contacts I can help your institution
identify a short list of providers that understand your needs and offer proven solutions.
• You have a vendor offering a “free” consultant.
What’s not to like about “free?” Keep in mind that the consultant still works for the vendor, and that
is where their loyalty lies. Remember the line in the movie, The Godfather: “This is business, not personal.”
It’s like that with vendor consultants – this is business. Assume that when they look at you what they see is
their next paycheck, or new boat, or mortgage payment, or braces for the kids. I may sound blunt, but consider it. Contact
me and I’ll tell you a horror story. Sometimes “free” can be very, very expensive.
Return to PCI DSS Consulting Services
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|