Walter Conway
Typical PCI Assignment
Home
PCI Consulting Services
Qualifications
My PCI Publications
PCI Blogs - Both of Them
Web Resources
Contact
Step 1: Payments Analysis

Before we meet, I will send a questionnaire you should complete before I arrive. I will ask you to develop a list of all your campus merchants including affiliates, and any third-parties using the University's network. You will collect data on their payment card activity for the last year, how cards are accepted, and your current policies and procedures. The questionnaire also explores terminals (models and count), vendors and applications, service providers, and record retention policies and practices. While this sounds daunting, your acquirer should be able to provide a great deal of the information very quickly.

Step 2: On-Site Visit

Most often this is a one-week effort that launches or accelerates your PCI compliance team’s effort.
Monday morning we would get ourselves organized and go over our strategic direction. Specifically we would agree on our strategic direction: Is your school in the payment processing business; Do we agree our primary approach is to minimize PCI scope; Do we agree that cardholder data, as defined by PCI, will not be stored anywhere on campus either electronically or on paper; Do we agree we should take a risk-based approach to PCI compliance; are the consequences of merchant non-compliance articulated and enforced? This may also be a convenient day to brief C-level University staff (CFO, CISO) and others (Internal Audit, Purchasing, Legal) on the team's plans and directions.

Working together, we would go through your list of campus merchants and identify those that are "high priority" meriting our immediate attention. Merchants would make this list if they use known non-compliant (or known compromised) software applications or service providers, if they store large amounts of cardholder or payment data, if they have risky POS conditions like wireless, or just because of their sheer size. That afternoon we would develop a workplan, review POS terminals in use, contact your acquirer with any questions, and prepare for the merchant meetings.

Tuesday and Wednesday we would meet with the high priority merchants, up to 4 or 5 per day depending on scheduling. We would visit their sites, observe how they take payment cards (all channels: card present, mail, phone, Internet, etc.). We would inquire as to how they process exception items (refunds and chargebacks) and what transaction data are kept and where (paper and electronic). We also need to learn about back-up procedures and network connections. We would get together at the end of each day to de-brief the team and to agree on what we found and what remediation steps might be needed to achieve compliance. We also would identify what additional information we need from the merchant, their vendors, or from the school’s own network operations.

Thursday we would have additional merchant meetings as needed and begin pulling together a picture of PCI compliance, identifying the biggest gaps (again, using a risk-based approach), and the implications for timing and budget. We would begin to close in on a target date for PCI compliance. We may use this time to contact application or service vendors used by campus merchants to get additional information or answer questions (e.g., can a system be reconfigured easily not to store cardholder data; can web surfing and email be disabled on a POS server; can back-ups and logs be configured not to store prohibited data?). We may also contact the acquirer with questions or to seek additional support/information.

Friday we would pull together the week's work and de-brief the team. We also would provide an interim report to the C-level sponsors, identifying the highest priority risks the institution faces and possible remediation steps.

Step 3: Reporting

Over the next several weeks I will draft a brief written report outlining the team’s findings and recommendations. I distribute drafts to the team for comments and corrections and to fill in missing information. The final report is usually ready within a few weeks of our onsite work.

Step 4: Completing Initial Compliance

Some institutions will be able to complete their PCI compliance with little or no further consulting support. Others may want telephone consultation (questions are always welcome!), additional research, or a follow-up visit(s). The decision is yours and depends on your individual staffing and circumstances.

 


Return to PCI DSS Consulting Services

Click here to email Walt

  © 2010 Walter Conway  All Rights Reserved