Re: PCI and common access computers

[Chris Green <cmgreen () UAB EDU>]

I would split the hairs at "is this a required part of the payment process for something that you are in scope for".

If you make people come into a lab and then submit payment for some service from those terminals to a payment 
application, I'd argue they are in scope. If people happen to use a common lab resource to conduct personal 
transactions with your payment applications, then I don't think they are in scope. 

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Flynn, 
Gary
Sent: Thursday, March 25, 2010 8:46 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI and common access computers

It has been suggested that these types of computers that people could use
to perform credit card transactions may be in-scope for PCI compliance
requirements. Anyone heard anything like that? I don't see how it could
ever work as you couldn't restrict the access to the credit card requesting
sites because they could be anywhere. And you really couldn't reliably 
prevent people from typing them either.