[Madlug] PCI Dss

Leinweber, James jiml at mail.slh.wisc.edu
Sat Dec 12 21:55:01 CST 2009

> Do any of you have to deal with PCI standards? (credit card processing
> security standards).
> We are getting beaten up by our credit card processor to prove our
> compliance...

You can get hit with PCI-DSS even if you aren't doing credit cards, as
is becoming the not-so-stealthy legal standard of due care, and at the
UW-Madison is required for all "restricted" category data (covered by
HIPAA, the WI identity theft statute, ...).

It can be onerous; American Family is rumored to have invested 5-10 M$
and about 600 man-years in their compliance work.  As an insurance
company financial integrity is a strategic necessity.

If you want to go local, I think Berbee/CDW might be able to audit,
though I don't know if they are certified.  Definitely start with
the self assessment questionnaire, including the auditing guidelines,
which add a lot of useful detail.

-- Jim Leinweber
State Laboratory of Hygiene, University of Wisconsin - Madison
<jiml at slh.wisc.edu> 2810 Walton Commons West; phone +1 608 221 6281
PGP fp: 2E36 47BC DB03 57CE 86AD  19CC 41A1 9179   5C6B C8B9

More information about the Madlug mailing list