Educause Security Discussion mailing list archives
PCI compliance question
From: "Smith, Bob" <smithrj () LONGWOOD EDU>
Date: Tue, 13 Jul 2010 18:01:54 -0400
As promised, here are the results of my research. First, let's assume that we are not accepting CC's on our "one card" system. Otherwise, our vending machines could be considered in-scope due to what I have heard called "scope creep" and this would all be a moot point. The inadvertent/accidental swipe of a CC in our vending machines would not make our system in-scope for PCI compliance. As said in other posts, this is consistent with other systems like building access control, printing services, Library self-checkout, etc. that you wouldn't expect to be considered in-scope where there is no acceptance of CC's. Those systems use accept our "one cards," but not CC's. In our opinion, this becomes more of a security issue rather than PCI compliance and some "good practices" we will probably take are: 1. posting signs on the vending machines (or others as appropriate) stating something like "This machine will not accept credit cards." 2. regularly expunging any files (system logs, rejected transactions, backups, etc.) where the CC data might be stored 3. documenting the above steps Thanks. Bob Smith AVP IITS & Information Security Officer Longwood University
Current thread:
- Re: PCI compliance question, (continued)
- Re: PCI compliance question Paul Kendall (Jul 09)
- Re: PCI compliance question Joel Rosenblatt (Jul 09)
- Re: PCI compliance question Paul Kendall (Jul 09)
- Re: PCI compliance question Sarazen, Daniel (Jul 08)
- Re: PCI compliance question Nangle, Shea (Jul 08)
- Re: PCI compliance question Marcum, Chad A (Jul 08)
- Re: PCI compliance question Croke, John (Jul 08)
- Re: PCI compliance question Kelley Bogart (Jul 08)
- Re: PCI compliance question Paul Kendall (Jul 08)
- W2 forms online Barrera, Connie (Jul 09)
- Re: PCI compliance question Kelley Bogart (Jul 08)
- PCI compliance question Smith, Bob (Jul 13)
- Presenting annual brief summaries Plesco, Todd (Jul 16)
- Re: Presenting annual brief summaries Ben Woelk (Jul 16)
- Presenting annual brief summaries Plesco, Todd (Jul 16)