Educause Security Discussion mailing list archives

Re: PCI compliance question

From: Paul Kendall <PKendall () ACCUDATASYSTEMS COM>
Date: Thu, 8 Jul 2010 19:07:39 -0500

That would depend on whether your card is a 'branded' card or not. If the card is an American Express, Discover 
Financial Services, JCB International, MasterCard Worldwide or Visa Inc, then PCI comes into play. If the card is not 
branded, then PCI requirements do not come into play. The card brands are only enforcing these requirements on the 
branded cards.

Paul
========================================
Paul L. Kendall, CGEIT, CHS-III, DHS-CVI, CISM, CISSP, CSSLP
PCI Qualified Security Assessor
Senior Consultant
Accudata Systems, Inc.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kelley 
Bogart
Sent: Thursday, July 08, 2010 5:34 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI compliance question

PCI compliance is the responsibility of the merchant account owner?  Who is processing the credit card transaction you 
or the vendor?  In many cases the vending company is the responsible person for ensuring compliance.  Our university 
cards have the ability to sign up for  a banking account and thus then use the card as a credit card.  In those cases 
PCI compliance is the responsibility of the merchant accepting and processing the credit card transaction.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Croke, 
John
Sent: Thursday, July 08, 2010 12:37 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI compliance question

My understanding is if your one card  is also a credit card and is subject to PCI then all hardware that accept the 
card must be compliant.  This would include vending door access and laundry.

John Croke
Systems Analyst
400 Harkins Hall
Providence College
Providence, RI 02918
401.865.1173
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Smith, 
Bob
Sent: Thursday, July 08, 2010 2:47 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI compliance question

We are struggling with a PCI compliance issue and have been asked to query this list.  We have vending machines (drink, 
snack, laundry, etc.) on our network that are being setup for use with our university "one card" system.  The readers 
on these machines will transmit and process our cards just fine.  However, when someone uses a CC it is transmitted to 
the card system/server, but the system ignores it and does not process the transaction.

The big question:  are the vending machines considered in-scope for PCI?  If so, that means a lot of other things will 
be too.

Thanks.

Bob Smith
AVP IITS & Information Security Officer
Longwood University

Current thread:

Re: PCI compliance question, (continued)
- - Re: PCI compliance question Sam Hooker (Jul 08)
  - Re: PCI compliance question Daniel Robert Adinolfi (Jul 09)
    - Re: PCI compliance question Paul Kendall (Jul 09)
    - Re: PCI compliance question Joel Rosenblatt (Jul 09)
    - Re: PCI compliance question Paul Kendall (Jul 09)
- Re: PCI compliance question Sarazen, Daniel (Jul 08)
- Re: PCI compliance question Nangle, Shea (Jul 08)
- Re: PCI compliance question Marcum, Chad A (Jul 08)
- Re: PCI compliance question Croke, John (Jul 08)
  - Re: PCI compliance question Kelley Bogart (Jul 08)
    - Re: PCI compliance question Paul Kendall (Jul 08)
  - W2 forms online Barrera, Connie (Jul 09)
- PCI compliance question Smith, Bob (Jul 13)
  - Presenting annual brief summaries Plesco, Todd (Jul 16)
    - Re: Presenting annual brief summaries Ben Woelk (Jul 16)