Loyola University Chicago

Information Technology Services

PCI/DSS Compliance


November 2008: Closing Report
Customer: Finance (Laird) / Project Manager: Prina / Health:

  • Project extended a few weeks due to resource constraints. Project completed on 12/2/2008 with all remediation, testing, and training tasks completed.
  • Sixty-nine remediation tasks completed. Two-hundred and forty-three test procedures completed. Held 31 training sessions with merchants.
  • Awareness information posted to ITS Policies and Guidelines website.
  • Next Steps: (1) Integrate policies and procedures created for PCI compliance into standard business processes at the University. (2) Project close-out meeting to be conducted in January 2009.

August 2008
Customer: Finance (Laird) / Project Manager: Cothern / Health:

  • The project health remains orange due to the significant risk of meeting the 10/1/08 compliance deadline.  The scope of the remediation tasks is large.
  • A third party consulting firm, Halock QSA, validated the discovery process, results and remediation tasks.  No gaps were identified by the vendor.  The process was free of charge.
  • Reviewing project plan milestones with Infrastructure Team to develop the final timeline.
  • Worked with ITS staff to discuss parking office alternatives and resources required.  Also met with parking office, ITS and RevCon to solidify time lines.  Alternative solution can be met by 8/29.
  • Working on the detailed remediation tasks.  The critical compliance efforts are near completion and should be finalized by the compliance deadline.  The remaining low risk efforts are expected to be completed during Q2 FY09.
  • Next Steps: (1) Deliver proposed timeline to project sponsors and validate completion of all tasks by the deadline.  (2) Ongoing senior management review of recent updated costs. (3) Install disk and set up virtual machines. (4) Finalize priority 5 and 4 infrastructure items and order (5) Continue build, patching, and process development. (5) Identify Tripwire solution.

May 2008
Sponsor: Finance (O’Brien) / Project Manager: Cothern / Health:

  • Project has several unknowns regarding scope and availability of staff and budget resources, all of which could impact the delivery time-line. Sponsor is requesting an 8/1 delivery, but ability to meet this goal cannot be accurately assessed until the discovery phase has been completed.
  • Completed v5.0 of Applications/System Matrix. Added new data re in-scope applications and associated application servers. Matrix sent to DBA Manager for population of associated databases.
  • Met with Network/Server/Desktop Managers - completed high level review of Scorecard. Next meeting scheduled for 5/20 to drill down individual regulations to determine compliance and gaps and to assign individual task ownership.
  • Met with Finance and Procard manager for discovery.
  • Worked with IS Project Lead to develop PCI Questionnaire, Cabinet Meeting memo, and PCI website.
  • Set recurring status meeting with team leads and developed Project Sponsor status reporting.
  • Next Steps: (1) All IS Manager meeting to drill down scorecard for task compliance, gaps, remediation, and task ownership (2) Complete mid-level project plan based on current state discovery (3) Develop new templates for capturing discovery meeting results (4) Set up meetings with individual teams based on results of 20 May meeting (5) Begin dev of high level data flow (6) Review of Section 12 regulations (IS Policy) to determine current state, gaps, and next step tasks.