Blackboard is a level 1 service provider, a hosting provider, a level 3 merchants and a PA-DSS application developer. I am actually in the middle of my on-site audit for the service and hosting provider portions. It is far more in-depth and picky then it has been in the past. Considerably more documentation, testing and narratives have been involved as well as several discussions on increase in scope (which I am arguing... the first rule of PCI is segment to limit the scope and expanding it outside turns the whole thing on its head). So regardless of your level of PCI touch points, the council is really cracking down. The Heartland breach scared the hell out of everyone.
At the merchant level obviously the direct oversight is less. The risk falls to your acquiring banks and processors. If you do not complete the SAQ or if after a breach you are found to be non compliant you may lose your merchant status and your acquiring banks and processors could face significant consequences. Fudging the SAQ is not a good idea. It's very much like software piracy; you may get away with it for a long time or maybe forever but the consequences are severe if you get caught. And just as an aside the automatic jump after a problem to level 1 requiring an onsite assessment is a nightmare. We're required by virtue of our service provider status (we operate our own payment switch for our transaction/commerce LOB clients) but it is incredibly painful and as of this year competing with SOX for things that gray my hair, increase my blood pressure and make me a fan of scotch. -rd -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Brad Knowles Sent: Wednesday, June 03, 2009 11:44 PM To: Tracy Reed Cc: [email protected] Subject: Re: [lopsa-tech] PCI-DSS: Is this for real? on 6/3/09 2:08 AM, Tracy Reed said: > So what has your experience with PCI been? Is anyone really enforcing > it on level 3 merchants? I know a guy who works at cybersource.com, which is located here in Austin. They specialize in outsourcing eCommerce payment solutions and PCI compliance, and have recently bought authorize.net, which is one of the best known small business payment handling systems. He told me that Visa has recently really started cracking down, and that has caused a *huge* increase in the amount of work being sent their way -- way too many companies have decided they just can't handle PCI compliance internally. Regretfully, that's all I really know on that subject. -- Brad Knowles <[email protected]> LinkedIn Profile: <http://tinyurl.com/y8kpxu> _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/ This email and any attachments may contain confidential and proprietary information of Blackboard that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error. _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
