Re: PCI compliance question

["Hudson, Edward" <ewhudson () CSUCHICO EDU>]

I am a former QSA (and ask 10 others and you will get at least 5 different answers).. but I think Joel has the pivotal 
issue here.  While yes, someone can swipe a CC in any magnetic reader and some data may be transmitted the onus for 
demonstrating PCI compliance is on the MID (merchant ID) They are not accepting a CC for a good or service.. the fact 
that someone can errantly swipe a CC does not put the device in scope IMHO.  Same kind of  idea of a kiosk type device 
where someone chooses to make an internet purchase of some (Amazon etc).. those would not be in scope, because no MID 
is associated with that device.



Ed Hudson, CISM
Information Security Office
California State University, Chico
www.csuchico.edu/ires/security<http://www.csuchico.edu/ires/security>
Office: (530) 898-6307
Cell: 707-799-3250
ewhudson () csuchico edu



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Smith, 
Bob
Sent: Thursday, July 08, 2010 2:47 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI compliance question

We are struggling with a PCI compliance issue and have been asked to query this list.  We have vending machines (drink, 
snack, laundry, etc.) on our network that are being setup for use with our university "one card" system.  The readers 
on these machines will transmit and process our cards just fine.  However, when someone uses a CC it is transmitted to 
the card system/server, but the system ignores it and does not process the transaction.

The big question:  are the vending machines considered in-scope for PCI?  If so, that means a lot of other things will 
be too.

Thanks.

Bob Smith
AVP IITS & Information Security Officer
Longwood University