Educause Security Discussion mailing list archives
Re: PCI compliance question
From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Thu, 8 Jul 2010 15:24:44 -0400
Not if you don't accept the card .. there is no way for them to come after you if their is no MID associated with the service. One of their biggest sticks is that they will block your account .. this is not very effective if you don't have an account :-)PCI was designed to protect the CC industry from vendors that are not protecting the CC data - if your not doing business with them(the CC industry), then their rules do not apply.
PCI is not a law, it is something cooked up by the CC industry to move the risk back to the vendors taking the cards. Joel --On Thursday, July 08, 2010 3:12 PM -0400 Michael Benedetto <mbenedetto () amnh org> wrote:
Joel: Even though his machines may not be accepting the card, is it denying the card at the swipe location itself, or is the CC data being sent back to a centralized server for approval. If it is being transmitted to a central server and/or being stored on a central server, even though it is invalid data, the transmission and the storage would both be in scope. If the swipe card reader itself could tell the data was invalid at the moment it was swiped and did not transmit or store the invalid data, then it would be out of scope. -Mike Benedetto -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel Rosenblatt Sent: Thursday, July 08, 2010 3:08 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI compliance question His machines are not accepting CCs .. they are accepting his own cards ... since they do not accept credit cards for those services, then despite the fact that people are putting the wrong card in the machine, they are not in PCI scope. Using your logic, any device with a card swipe would be in PCI scope, which is clearly not the case. To be charged with a violation, there has to be an account - no account, no violation. IMHO Joel --On Thursday, July 08, 2010 3:01 PM -0400 "Lazarus, Carolann" <lazarus () buffalo edu> wrote:My issue with this is that he said the machines transmit the CC to theserver. I'm not an expert, but I believe any transmission of CC falls under PCI, evenif the transaction is rejected. The transmission has to be secure. IMO Carolann G Lazarus, CISA 716-829-6947 lazarus () buffalo edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel RosenblattSent: Thursday, July 08, 2010 2:58 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI compliance question I am not a PCI expert, but I have been up to my eye balls in PCI stuff fora while :-)If you are not accepting CC, then the fact that the miss guided personsticks his card in your device does not put that device in scope for PCI.If someone were to swipe their Visa card in your controlled access doorswipes, and this were the case, then every door on your campus would suddenly becomein scope for PCI. The ultimate responsibility for PCI belongs to the organization that ownsthe MID for the account that will receive the income from that transaction - sincethere is no MID (Merchant ID) attached to your vending machines, there canbe no PCI compliance.In my opinion, I believe, and any other disclaimer :-) My 2 cents Joel Rosenblatt Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel --On Thursday, July 08, 2010 2:46 PM -0400 "Smith, Bob"<smithrj () LONGWOOD EDU> wrote:We are struggling with a PCI compliance issue and have been asked toquery this list. We have vending machines (drink, snack, laundry, etc.) on our networkthat are being setup for use with our university "one card" system. Thereaders on these machines will transmit and process our cards just fine. However,when someone uses a CC it is transmitted to the card system/server, butthe system ignores it and does not process the transaction.The big question: are the vending machines considered in-scope for PCI?If so, that means a lot of other things will be too.Thanks. Bob Smith AVP IITS & Information Security Officer Longwood UniversityJoel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joelJoel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
Current thread:
- PCI compliance question Smith, Bob (Jul 08)
- Re: PCI compliance question Barrera, Connie (Jul 08)
- Re: PCI compliance question Michael Sana (Jul 08)
- Re: PCI compliance question Hudson, Edward (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Lazarus, Carolann (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Michael Benedetto (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Sarazen, Daniel (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Kevin Hayes (Jul 08)
- Re: PCI compliance question Eric C. Lukens (Jul 08)
- Re: PCI compliance question Lazarus, Carolann (Jul 08)
- Re: PCI compliance question Barrera, Connie (Jul 08)
- Re: PCI compliance question Jeff Kell (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Jon Hanny (Jul 08)
- Re: PCI compliance question Marley, Tim (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)