Educause Security Discussion mailing list archives

Re: PCI compliance question

From: Michael Sana <msana () HPU EDU>
Date: Thu, 8 Jul 2010 09:09:09 -1000

Interesting question that brings up a few ideas:


*         You are using your "one card" system (heartland ?), but are the cards tied into the bank or not?  I suspect 
if they are not, then they can be perceived to be just a smart card or a swipe card that only holds a "purse" so not 
within scope of PCI.  However, in regards to  the "recharging" mechanism or process, if students have the ability to 
add more money to their "one card" via credit card, that device/process has to be PCI compliant.

I am not a PCI expert, so take it for what its worth... :)

mike.sana.

Michael C. Sana MSIA, CISSP, CISM, CISA
Information Security Officer
Information Technology Services Division

Hawai`i Pacific University
1132 Bishop St. Suite 307
Honolulu, Hawai`i 96813
Telephone: (808) 687-7034
Fax: (808) 544-1404
Email: msana () hpu edu<mailto:msana () hpu edu>

"Quis custodiet ipsos custodes?"

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barrera, 
Connie
Sent: Thursday, July 08, 2010 8:51 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI compliance question

It is my understanding that vending machines are definitely part of your in-scope devices, especially based on the fact 
that they are connected to your LAN.

Good luck with this.


Connie Barrera, MCSE, CCNA, CCM, CISSP
University of Miami
Director of Information Security and Compliance
Gables One Tower 11th Floor, Suite 1100F
1320 S Dixie Hwy
Coral Gables, FL 33146-2500
O&F:  305-284-2773
connie () miami edu<mailto:connie () miami edu>



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Smith, 
Bob
Sent: Thursday, July 08, 2010 2:47 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI compliance question

We are struggling with a PCI compliance issue and have been asked to query this list.  We have vending machines (drink, 
snack, laundry, etc.) on our network that are being setup for use with our university "one card" system.  The readers 
on these machines will transmit and process our cards just fine.  However, when someone uses a CC it is transmitted to 
the card system/server, but the system ignores it and does not process the transaction.

The big question:  are the vending machines considered in-scope for PCI?  If so, that means a lot of other things will 
be too.

Thanks.

Bob Smith
AVP IITS & Information Security Officer
Longwood University

Current thread:

PCI compliance question Smith, Bob (Jul 08)
- Re: PCI compliance question Barrera, Connie (Jul 08)
  - Re: PCI compliance question Michael Sana (Jul 08)
  - Re: PCI compliance question Hudson, Edward (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
  - Re: PCI compliance question Lazarus, Carolann (Jul 08)
    - Re: PCI compliance question Joel Rosenblatt (Jul 08)
    - Re: PCI compliance question Michael Benedetto (Jul 08)
    - Re: PCI compliance question Joel Rosenblatt (Jul 08)
    - Re: PCI compliance question Sarazen, Daniel (Jul 08)
    - Re: PCI compliance question Joel Rosenblatt (Jul 08)
    - Re: PCI compliance question Kevin Hayes (Jul 08)
    - Re: PCI compliance question Eric C. Lukens (Jul 08)

(Thread continues...)