Educause Security Discussion mailing list archives
Re: PCI compliance question
From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Thu, 8 Jul 2010 15:17:36 -0400
The 'buck stops' with the owner of the MID .. if your just getting income from some outsourced machines and all of the transactions are between the client and the outsourced vendor, then it's their problem.
As long as you have no way to interact with the clients CC (you don't have a service window where they issue refunds, adjustments, ect.) then this is a clean service. It will be up to the vendor to fill out the SAQ for PCI.
Now, if your school is endorsing this service, it behooves you to make sure that THEY are PCI compliant - you should request certification from them to protect yourselves from splash back in case they have a problem.
My 2 cents. Joel --On Thursday, July 08, 2010 3:08 PM -0400 Jeff Kell <jeff-kell () UTC EDU> wrote:
On 7/8/2010 3:01 PM, Lazarus, Carolann wrote:My issue with this is that he said the machines transmit the CC to the server. I'm not an expert, but I believe any transmission of CC falls under PCI, even if the transaction is rejected. The transmission has to be secure. IMOAlong a similar vein... I caught the tail-end of a committee meeting request to put a "Red Box"-like machine on campus to rent DVDs and video games. It takes [real] credit cards. They wanted an "Internet" connection from us. Is the PCI responsibility on the box-owner/vendor, or will we become the unwilling participant in a PCI network by providing such a connection? Not sure where "the buck stops" with respect to a turnkey appliance sort of device, nor exactly how it technically differs from a user doing CC transactions from their own computer (over our network). Jeff
Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
Current thread:
- Re: PCI compliance question, (continued)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Lazarus, Carolann (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Michael Benedetto (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Sarazen, Daniel (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Kevin Hayes (Jul 08)
- Re: PCI compliance question Eric C. Lukens (Jul 08)
- Re: PCI compliance question Lazarus, Carolann (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Jeff Kell (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Jon Hanny (Jul 08)
- Re: PCI compliance question Marley, Tim (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Paul Kendall (Jul 09)
- Re: PCI compliance question Joel Rosenblatt (Jul 09)