Re: PCI compliance question

[Kelley Bogart <bogartk () EMAIL ARIZONA EDU>]

PCI compliance is the responsibility of the merchant account owner?  Who is
processing the credit card transaction you or the vendor?  In many cases the
vending company is the responsible person for ensuring compliance.  Our
university cards have the ability to sign up for  a banking account and thus
then use the card as a credit card.  In those cases PCI compliance is the
responsibility of the merchant accepting and processing the credit card
transaction. 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Croke, John
Sent: Thursday, July 08, 2010 12:37 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI compliance question

 

My understanding is if your one card  is also a credit card and is subject
to PCI then all hardware that accept the card must be compliant.  This would
include vending door access and laundry. 

 

John Croke

Systems Analyst

400 Harkins Hall

Providence College

Providence, RI 02918

401.865.1173

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Smith, Bob
Sent: Thursday, July 08, 2010 2:47 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI compliance question

 

We are struggling with a PCI compliance issue and have been asked to query
this list.  We have vending machines (drink, snack, laundry, etc.) on our
network that are being setup for use with our university "one card" system.
The readers on these machines will transmit and process our cards just fine.
However, when someone uses a CC it is transmitted to the card system/server,
but the system ignores it and does not process the transaction.

 

The big question:  are the vending machines considered in-scope for PCI?  If
so, that means a lot of other things will be too.

 

Thanks.

 

Bob Smith

AVP IITS & Information Security Officer

Longwood University