My day job is in healthcare and because we take cc, we're subject to all this.  
Across half a dozen or so merchant IDs.  It's a huge pain, but from a risk 
management perspective, it's not much more over the stuff we're doing to meet 
HIPAA.  

All the new compliance generations (HIPAA, GLBA, SOX, PCI) seem to be circling 
the drain on the same concepts of best practices.  NIST/COBIT etc.  

Like I said, it's all a huge pain, but if you're subject to one, it's usually 
not a huge stretch when one of the others come into play.  That is, if you have 
a semi mature risk/compliance program in play. 

For small shops, it seems like do your best, or ignore it.  Main takeaway is: 
least compliant entity pays for fraud charges since after the beginning of this 
month.  

___________________________
Mangled by my iPhone.
___________________________

Tyler Treat
Corn Belt Technologies, Inc. 

[email protected]
___________________________


> On Oct 28, 2015, at 6:44 PM, Ken Hohhof <[email protected]> wrote:
> 
> I think only a masochist would pay to do that, unless someone made you.
> 
> 
> -----Original Message----- 
> From: Scott Vander Dussen
> Sent: Wednesday, October 28, 2015 6:35 PM
> To: [email protected]
> Subject: [AFMUG] PCI Compliance- who has it?
> 
> Just saw Ken's post about PCI compliance and didn't want to hijack that 
> thread.  PCI compliance when it first came out was mandated by the credit 
> card processor, about $20/mo and included some quarterly scans for 
> vulnerabilities or exploits.  We've switched processors a few times and 
> realized that no one has asked us about PCI compliance for years.  Looked 
> into purchasing PCI auditing from McAfee and it's $1k a year, and involves 
> an extremely intensive questionnaire of the company plus serious internal 
> documentation of policy etc.  Basically, PCI compliance got a lot more legit 
> and expensive.  Just wondering what everyone else is doing?  Grandfathered 
> the old low-tech quarterly scan, nothing at all, or are you on board with 
> this newer intense PCI compliance?
> 
> Thanks,
> `S
> 
> 

Reply via email to