Re: PCI compliance question

[Kevin Hayes <krhayes () OAKLAND EDU>]

The best quote I have heard regarding PCI compliance is that "You are compliant until there is a breach; then you are 
no longer compliant".

While the well-known mantra of PCI is anything that stores, transmits, or processes PCI data, at some point you have to 
define exactly that consists of.  What exactly *is* a PAN?  If I throw 16 random digits together and transmit it across 
a network, does that mean it has to instantly become PCI compliant?

I think Joel hit the nail on the head when he said that it ties right back to the Merchant ID.  If the *destination* of 
whatever data is being swiped/entered is a system that is somehow tied back to your merchant ID, then you have PCI 
scope to worry about.  Otherwise the entire planet would be covered in PCI scope; if I put my CC into a standalone 
hotel door lock I should not expect my data to remain secure.  If I swipe it at a POS terminal for a purchase, I should.

It would still be a good security practice to make sure that *any* system that gets magstripe reads is set to purge 
unknown data, but I have brought this subject up with our auditors and they were under the same impression that we only 
need to worry about PCI scope where it involves a Merchant ID that is issued to our University.

--Kevin

Kevin Hayes
Network Security Analyst

225 Dodge Hall
Oakland University
(248) 370-2546


On Jul 8, 2010, at 3:26 PM, Sarazen, Daniel wrote:

> His machines ARE accepting the CC date. According to the poster, it's his servers that will reject the data. That 
> means the system may be transmitting and storing the CC data. 
>
> If we're talking strictly about compliance, than you're probably fine. If you're also talking about security, 
> however, you may be in fact trapping and storing CC data. 
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel 
> Rosenblatt
> Sent: Thursday, July 08, 2010 3:08 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] PCI compliance question
>
> His machines are not accepting CCs .. they are accepting his own cards ... since they do not accept credit cards for 
> those services, then despite the fact that 
> people are putting the wrong card in the machine, they are not in PCI scope.
>
> Using your logic, any device with a card swipe would be in PCI scope, which is clearly not the case.
>
> To be charged with a violation, there has to be an account - no account, no violation.
>
> IMHO
>
> Joel
>
> --On Thursday, July 08, 2010 3:01 PM -0400 "Lazarus, Carolann" <lazarus () buffalo edu> wrote:
>
> > My issue with this is that he said the machines transmit the CC to the server.  I'm not an expert, but I believe any 
> > transmission of CC falls under PCI, even
> > if the transaction is rejected.  The transmission has to be secure.  IMO
> >
> > Carolann G Lazarus, CISA
> > 716-829-6947
> > lazarus () buffalo edu
> >
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel 
> > Rosenblatt
> > Sent: Thursday, July 08, 2010 2:58 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] PCI compliance question
> >
> > I am not a PCI expert, but I have been up to my eye balls in PCI stuff for a while :-)
> >
> > If you are not accepting CC, then the fact that the miss guided person sticks his card in your device does not put 
> > that device in scope for PCI.
> >
> > If someone were to swipe their Visa card in your controlled access door swipes, and this were the case, then every 
> > door on your campus would suddenly become
> > in  scope for PCI.
> >
> > The ultimate responsibility for PCI belongs to the organization that owns the MID for the account that will receive 
> > the income from that transaction - since
> > there is no MID (Merchant ID) attached to your vending machines, there can be no PCI compliance.
> >
> > In my opinion, I believe, and any other disclaimer :-)
> >
> > My 2 cents
> >
> > Joel Rosenblatt
> >
> > Joel Rosenblatt, Manager Network & Computer Security
> > Columbia Information Security Office (CISO)
> > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> > http://www.columbia.edu/~joel
> >
> >
> > --On Thursday, July 08, 2010 2:46 PM -0400 "Smith, Bob" <smithrj () LONGWOOD EDU> wrote:
> >
> > > We are struggling with a PCI compliance issue and have been asked to query this list.  We have vending machines 
> > > (drink, snack, laundry, etc.) on our network
> > > that are being setup for use with our university "one card" system.  The readers on these machines will transmit 
> > > and process our cards just fine.  However,
> > > when someone uses a CC it is transmitted to the card system/server, but the system ignores it and does not process 
> > > the transaction.
> > >
> > > The big question:  are the vending machines considered in-scope for PCI?  If so, that means a lot of other things 
> > > will be too.
> > >
> > > Thanks.
> > >
> > > Bob Smith
> > > AVP IITS & Information Security Officer
> > > Longwood University
> >
> >
> >
> > Joel Rosenblatt, Manager Network & Computer Security
> > Columbia Information Security Office (CISO)
> > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> > http://www.columbia.edu/~joel
>
>
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel