Re: PCI compliance question

[Sam Hooker <samuel.hooker () UVM EDU>]

I'm not a QSA either, but my recent experience has been that compliance
with PCI DSS is most directly enforced by a merchant's acquiring bank.
If there isn't an acquirer threatening to shut down a merchant ID for
failure to comply with the DSS because of your arrangement, this is
arguably a non-issue.

If cardholder data are being intercepted in transit, or being stored
(even though rejected) by the transaction server though, you have a
*security* concern. (And potentially a regulatory concern, depending
upon local laws.) In such cases, I'd probably consider these systems in
scope as a matter of best practice.

Your mileage may vary; I am not [a lawyer|a QSA|clergy]; etc.


-sth

-- 
Sam Hooker | samuel.hooker () uvm edu
Systems Architecture and Administration
Enterprise Technology Services
The University of Vermont


On 20100708 14:57 , Joel Rosenblatt wrote:
> I am not a PCI expert, but I have been up to my eye balls in PCI stuff
> for a while :-)
>
> If you are not accepting CC, then the fact that the miss guided person
> sticks his card in your device does not put that device in scope for PCI.
>
> If someone were to swipe their Visa card in your controlled access door
> swipes, and this were the case, then every door on your campus would
> suddenly become in scope for PCI.
>
> The ultimate responsibility for PCI belongs to the organization that
> owns the MID for the account that will receive the income from that
> transaction - since there is no MID (Merchant ID) attached to your
> vending machines, there can be no PCI compliance.
>
> In my opinion, I believe, and any other disclaimer :-)
>
> My 2 cents
>
> Joel Rosenblatt
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
>
>
> --On Thursday, July 08, 2010 2:46 PM -0400 "Smith, Bob"
> <smithrj () LONGWOOD EDU> wrote:
>
> > We are struggling with a PCI compliance issue and have been asked to
> > query this list.  We have vending machines (drink, snack, laundry,
> > etc.) on our network
> > that are being setup for use with our university "one card" system. 
> > The readers on these machines will transmit and process our cards just
> > fine.  However,
> > when someone uses a CC it is transmitted to the card system/server,
> > but the system ignores it and does not process the transaction.
> >
> > The big question:  are the vending machines considered in-scope for
> > PCI?  If so, that means a lot of other things will be too.
> >
> > Thanks.
> >
> > Bob Smith
> > AVP IITS & Information Security Officer
> > Longwood University
>
>
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel

Attachment: signature.asc
Description: OpenPGP digital signature