Educause Security Discussion mailing list archives
Re: PCI compliance question
From: Sam Hooker <samuel.hooker () UVM EDU>
Date: Thu, 8 Jul 2010 15:17:29 -0400
I'm not a QSA either, but my recent experience has been that compliance with PCI DSS is most directly enforced by a merchant's acquiring bank. If there isn't an acquirer threatening to shut down a merchant ID for failure to comply with the DSS because of your arrangement, this is arguably a non-issue. If cardholder data are being intercepted in transit, or being stored (even though rejected) by the transaction server though, you have a *security* concern. (And potentially a regulatory concern, depending upon local laws.) In such cases, I'd probably consider these systems in scope as a matter of best practice. Your mileage may vary; I am not [a lawyer|a QSA|clergy]; etc. -sth -- Sam Hooker | samuel.hooker () uvm edu Systems Architecture and Administration Enterprise Technology Services The University of Vermont On 20100708 14:57 , Joel Rosenblatt wrote:
I am not a PCI expert, but I have been up to my eye balls in PCI stuff for a while :-) If you are not accepting CC, then the fact that the miss guided person sticks his card in your device does not put that device in scope for PCI. If someone were to swipe their Visa card in your controlled access door swipes, and this were the case, then every door on your campus would suddenly become in scope for PCI. The ultimate responsibility for PCI belongs to the organization that owns the MID for the account that will receive the income from that transaction - since there is no MID (Merchant ID) attached to your vending machines, there can be no PCI compliance. In my opinion, I believe, and any other disclaimer :-) My 2 cents Joel Rosenblatt Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel --On Thursday, July 08, 2010 2:46 PM -0400 "Smith, Bob" <smithrj () LONGWOOD EDU> wrote:We are struggling with a PCI compliance issue and have been asked to query this list. We have vending machines (drink, snack, laundry, etc.) on our network that are being setup for use with our university "one card" system. The readers on these machines will transmit and process our cards just fine. However, when someone uses a CC it is transmitted to the card system/server, but the system ignores it and does not process the transaction. The big question: are the vending machines considered in-scope for PCI? If so, that means a lot of other things will be too. Thanks. Bob Smith AVP IITS & Information Security Officer Longwood UniversityJoel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: PCI compliance question, (continued)
- Re: PCI compliance question Sarazen, Daniel (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Kevin Hayes (Jul 08)
- Re: PCI compliance question Eric C. Lukens (Jul 08)
- Re: PCI compliance question Jeff Kell (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Jon Hanny (Jul 08)
- Re: PCI compliance question Marley, Tim (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Paul Kendall (Jul 09)
- Re: PCI compliance question Joel Rosenblatt (Jul 09)
- Re: PCI compliance question Kelley Bogart (Jul 08)
- Re: PCI compliance question Paul Kendall (Jul 08)