Re: PCI compliance question

[Joel Rosenblatt <joel () COLUMBIA EDU>]

His machines are not accepting CCs .. they are accepting his own cards ... since they do not accept credit cards for those services, then despite the fact that 
people are putting the wrong card in the machine, they are not in PCI scope.

Using your logic, any device with a card swipe would be in PCI scope, which is clearly not the case.

To be charged with a violation, there has to be an account - no account, no violation.

IMHO

Joel

--On Thursday, July 08, 2010 3:01 PM -0400 "Lazarus, Carolann" <lazarus () buffalo edu> wrote:

> My issue with this is that he said the machines transmit the CC to the server.  I'm not an expert, but I believe any 
> transmission of CC falls under PCI, even
> if the transaction is rejected.  The transmission has to be secure.  IMO
>
> Carolann G Lazarus, CISA
> 716-829-6947
> lazarus () buffalo edu
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel 
> Rosenblatt
> Sent: Thursday, July 08, 2010 2:58 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] PCI compliance question
>
> I am not a PCI expert, but I have been up to my eye balls in PCI stuff for a while :-)
>
> If you are not accepting CC, then the fact that the miss guided person sticks his card in your device does not put that 
> device in scope for PCI.
>
> If someone were to swipe their Visa card in your controlled access door swipes, and this were the case, then every door 
> on your campus would suddenly become
> in  scope for PCI.
>
> The ultimate responsibility for PCI belongs to the organization that owns the MID for the account that will receive the 
> income from that transaction - since
> there is no MID (Merchant ID) attached to your vending machines, there can be no PCI compliance.
>
> In my opinion, I believe, and any other disclaimer :-)
>
> My 2 cents
>
> Joel Rosenblatt
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
>
>
> --On Thursday, July 08, 2010 2:46 PM -0400 "Smith, Bob" <smithrj () LONGWOOD EDU> wrote:
>
> > We are struggling with a PCI compliance issue and have been asked to query this list.  We have vending machines (drink, 
> > snack, laundry, etc.) on our network
> > that are being setup for use with our university "one card" system.  The readers on these machines will transmit and 
> > process our cards just fine.  However,
> > when someone uses a CC it is transmitted to the card system/server, but the system ignores it and does not process the 
> > transaction.
> >
> > The big question:  are the vending machines considered in-scope for PCI?  If so, that means a lot of other things will 
> > be too.
> >
> > Thanks.
> >
> > Bob Smith
> > AVP IITS & Information Security Officer
> > Longwood University
>
>
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel