Re: PCI compliance question

[Daniel Robert Adinolfi <dra1 () CORNELL EDU>]

On Jul 08, 2010, at 14:57, Joel Rosenblatt wrote:

> If you are not accepting CC, then the fact that the miss guided person sticks his card in your device does not put 
> that device in scope for PCI.

Our read on this issue mirrors Joel's.  Though, I agree with another poster (sorry, I lost that message) who said they 
put signs on the vending machines that say "This machine will not accept credit cards."  

Based on our fun experience with a QSA during a gap analysis we asked for, documentation is really, really important.  
If something is documented, it exists.  If it is not documented, it does not exist to an auditor.  Therefore, document 
where you take credit cards and where you do not.  If a unit has a card reader, their PCI documentation should include 
that fact and describe that that they do not write down the card number/accept them on post-it notes on their front 
door/allow someone to write it down in magic marker on an office plant/etc.  (It's probably easier to say, "We ONLY 
accept cards in the following ways".)  Make these policies clear to the public, and you have gone a long way to limit 
your exposure.  Document, publish, and stick to the documentation.

So, back to the question, if you put signs on your vending machines that say "Don't be silly and use a credit card 
here.  We'll laugh at you.", document that in your Big Book o' PCI Documentation, and make sure your application cleans 
our any errant CC data that might touch it, you don't need to consider that system in-scope.

My $0.04.  (inflation)

-Dan