Educause Security Discussion mailing list archives
Re: PCI compliance question
From: "Marcum, Chad A" <cmarcum () IU EDU>
Date: Thu, 8 Jul 2010 19:13:47 +0000
Hi Bob, I think a lot of good points have been made. If your "one card" is sponsored by one of the big five credit card companies, then your vending machines are in-scope. If your "one card" is not sponsored by one of the big five brands, then I would say your vending machines are not in-scope. If someone accidently swipes a credit card in a vending machine, which isn't designed to take credit card numbers, then I would say you could bring that machine and that part of your network into scope. (Notice the word "could", as I am not your QSA.) Our QSA has asked us to put disclaimers on some devices stating that we are not responsible if you should decide to swipe your credit card somewhere it doesn't belong and I don't think that's a bad idea. Chad Chad A. Marcum Lead Security Engineer University Information Security Office Information and Infrastructure Assurance Office of the VP for Information Technology and CIO Indiana University https://informationsecurity.iu.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Smith, Bob Sent: Thursday, July 08, 2010 2:47 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI compliance question We are struggling with a PCI compliance issue and have been asked to query this list. We have vending machines (drink, snack, laundry, etc.) on our network that are being setup for use with our university "one card" system. The readers on these machines will transmit and process our cards just fine. However, when someone uses a CC it is transmitted to the card system/server, but the system ignores it and does not process the transaction. The big question: are the vending machines considered in-scope for PCI? If so, that means a lot of other things will be too. Thanks. Bob Smith AVP IITS & Information Security Officer Longwood University
Current thread:
- Re: PCI compliance question, (continued)
- Re: PCI compliance question Marley, Tim (Jul 08)
- Re: PCI compliance question Michael Benedetto (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Sam Hooker (Jul 08)
- Re: PCI compliance question Daniel Robert Adinolfi (Jul 09)
- Re: PCI compliance question Paul Kendall (Jul 09)
- Re: PCI compliance question Joel Rosenblatt (Jul 09)
- Re: PCI compliance question Paul Kendall (Jul 09)
- Re: PCI compliance question Sarazen, Daniel (Jul 08)
- Re: PCI compliance question Nangle, Shea (Jul 08)
- Re: PCI compliance question Marcum, Chad A (Jul 08)
- Re: PCI compliance question Croke, John (Jul 08)
- Re: PCI compliance question Kelley Bogart (Jul 08)
- Re: PCI compliance question Paul Kendall (Jul 08)
- W2 forms online Barrera, Connie (Jul 09)
- Re: PCI compliance question Kelley Bogart (Jul 08)
- PCI compliance question Smith, Bob (Jul 13)
- Presenting annual brief summaries Plesco, Todd (Jul 16)
- Re: Presenting annual brief summaries Ben Woelk (Jul 16)
- Presenting annual brief summaries Plesco, Todd (Jul 16)