Re: PCI compliance question

[Joel Rosenblatt <joel () COLUMBIA EDU>]

The 'buck stops' with the owner of the MID .. if your just getting income from some outsourced machines and all of the transactions are between the client and 
the outsourced vendor, then it's their problem.

As long as you have no way to interact with the clients CC (you don't have a service window where they issue refunds, adjustments, ect.) then this is a clean 
service. It will be up to the vendor to fill out the SAQ for PCI.

Now, if your school is endorsing this service, it behooves you to make sure that THEY are PCI compliant - you should request certification from them to protect 
yourselves from splash back in case they have a problem.

My 2 cents.

Joel

--On Thursday, July 08, 2010 3:08 PM -0400 Jeff Kell <jeff-kell () UTC EDU> wrote:

>  On 7/8/2010 3:01 PM, Lazarus, Carolann wrote:
> > My issue with this is that he said the machines transmit the CC to the server.  I'm not an expert, but I believe any 
> > transmission of CC falls under PCI,
> > even if the transaction is rejected.  The transmission has to be secure.  IMO
>
>
> Along a similar vein...
>
> I caught the tail-end of a committee meeting request to put a "Red Box"-like machine on
> campus to rent DVDs and video games.  It takes [real] credit cards.  They wanted an
> "Internet" connection from us.
>
> Is the PCI responsibility on the box-owner/vendor, or will we become the unwilling
> participant in a PCI network by providing such a connection?
>
> Not sure where "the buck stops" with respect to a turnkey appliance sort of device, nor
> exactly how it technically differs from a user doing CC transactions from their own
> computer (over our network).
>
> Jeff



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel