Educause Security Discussion mailing list archives
Re: PCI compliance question
From: "Hudson, Edward" <ewhudson () CSUCHICO EDU>
Date: Thu, 8 Jul 2010 12:13:54 -0700
I am a former QSA (and ask 10 others and you will get at least 5 different answers).. but I think Joel has the pivotal issue here. While yes, someone can swipe a CC in any magnetic reader and some data may be transmitted the onus for demonstrating PCI compliance is on the MID (merchant ID) They are not accepting a CC for a good or service.. the fact that someone can errantly swipe a CC does not put the device in scope IMHO. Same kind of idea of a kiosk type device where someone chooses to make an internet purchase of some (Amazon etc).. those would not be in scope, because no MID is associated with that device. Ed Hudson, CISM Information Security Office California State University, Chico www.csuchico.edu/ires/security<http://www.csuchico.edu/ires/security> Office: (530) 898-6307 Cell: 707-799-3250 ewhudson () csuchico edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Smith, Bob Sent: Thursday, July 08, 2010 2:47 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI compliance question We are struggling with a PCI compliance issue and have been asked to query this list. We have vending machines (drink, snack, laundry, etc.) on our network that are being setup for use with our university "one card" system. The readers on these machines will transmit and process our cards just fine. However, when someone uses a CC it is transmitted to the card system/server, but the system ignores it and does not process the transaction. The big question: are the vending machines considered in-scope for PCI? If so, that means a lot of other things will be too. Thanks. Bob Smith AVP IITS & Information Security Officer Longwood University
Current thread:
- PCI compliance question Smith, Bob (Jul 08)
- Re: PCI compliance question Barrera, Connie (Jul 08)
- Re: PCI compliance question Michael Sana (Jul 08)
- Re: PCI compliance question Hudson, Edward (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Lazarus, Carolann (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Michael Benedetto (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Sarazen, Daniel (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Kevin Hayes (Jul 08)
- Re: PCI compliance question Eric C. Lukens (Jul 08)
- Re: PCI compliance question Lazarus, Carolann (Jul 08)
- Re: PCI compliance question Barrera, Connie (Jul 08)
- Re: PCI compliance question Jeff Kell (Jul 08)