Re: PCI and common access computers

[Zach Jansen <zjanse20 () CALVIN EDU>]

Are you saying that because people could buy stuff with credit cards from these common access computers they need to be 
PCI compliant? This argument makes no sense to me, customer computers are not in scope for PCI and I believe these 
would have to be considered customer computers unless your employees are using them to store, process, or transmit 
transactions in the performance of their duties with the university. 

I would separate them so they don't have access to your internal card holder networks. Like any other machine in the 
world, they should have access to the external public facing side. 

However, I'm certainly no authority on PCI, you should confirm your setup with your merchant bank, or QSA. They should 
be able to answer that for you after learning all the details of your setup. 

Zach





-- 
Zach Jansen
Information Security Officer
Calvin College
Phone: 616.526.6776
Fax: 616.526.8550

> > > On 3/25/2010 at 9:45 AM, in message
<08F275DE6ECE694B9239496100EFAB6F065B320D7F () IT-EXMBX1 ad jmu edu>, "Flynn,
Gary" <flynngn () JMU EDU> wrote:
> It has been suggested that these types of computers that people could use
> to perform credit card transactions may be in-scope for PCI compliance
> requirements. Anyone heard anything like that? I don't see how it could
> ever work as you couldn't restrict the access to the credit card requesting
> sites because they could be anywhere. And you really couldn't reliably 
> prevent people from typing them either.