Educause Security Discussion mailing list archives
Re: PCI compliance question
From: Daniel Robert Adinolfi <dra1 () CORNELL EDU>
Date: Fri, 9 Jul 2010 09:29:50 -0400
On Jul 08, 2010, at 14:57, Joel Rosenblatt wrote:
If you are not accepting CC, then the fact that the miss guided person sticks his card in your device does not put that device in scope for PCI.
Our read on this issue mirrors Joel's. Though, I agree with another poster (sorry, I lost that message) who said they put signs on the vending machines that say "This machine will not accept credit cards." Based on our fun experience with a QSA during a gap analysis we asked for, documentation is really, really important. If something is documented, it exists. If it is not documented, it does not exist to an auditor. Therefore, document where you take credit cards and where you do not. If a unit has a card reader, their PCI documentation should include that fact and describe that that they do not write down the card number/accept them on post-it notes on their front door/allow someone to write it down in magic marker on an office plant/etc. (It's probably easier to say, "We ONLY accept cards in the following ways".) Make these policies clear to the public, and you have gone a long way to limit your exposure. Document, publish, and stick to the documentation. So, back to the question, if you put signs on your vending machines that say "Don't be silly and use a credit card here. We'll laugh at you.", document that in your Big Book o' PCI Documentation, and make sure your application cleans our any errant CC data that might touch it, you don't need to consider that system in-scope. My $0.04. (inflation) -Dan
Current thread:
- Re: PCI compliance question, (continued)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Kevin Hayes (Jul 08)
- Re: PCI compliance question Eric C. Lukens (Jul 08)
- Re: PCI compliance question Jeff Kell (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Jon Hanny (Jul 08)
- Re: PCI compliance question Marley, Tim (Jul 08)
- Re: PCI compliance question Michael Benedetto (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Sam Hooker (Jul 08)
- Re: PCI compliance question Daniel Robert Adinolfi (Jul 09)
- Re: PCI compliance question Paul Kendall (Jul 09)
- Re: PCI compliance question Joel Rosenblatt (Jul 09)
- Re: PCI compliance question Paul Kendall (Jul 09)
- Re: PCI compliance question Kelley Bogart (Jul 08)
- Re: PCI compliance question Paul Kendall (Jul 08)
- W2 forms online Barrera, Connie (Jul 09)