PCI compliance question

["Smith, Bob" <smithrj () LONGWOOD EDU>]

As promised, here are the results of my research.

First, let's assume that we are not accepting CC's on our "one card" system.  Otherwise, our vending machines could be 
considered in-scope due to what I have heard called "scope creep" and this would all be a moot point.

The inadvertent/accidental swipe of a CC in our vending machines would not make our system in-scope for PCI compliance. 
 As said in other posts, this is consistent with other systems like building access control, printing services, Library 
self-checkout, etc. that you wouldn't expect to be considered in-scope where there is no acceptance of CC's.  Those 
systems use accept our "one cards," but not CC's.

In our opinion, this becomes more of a security issue rather than PCI compliance and some "good practices" we will 
probably take are:
1.      posting signs on the vending machines (or others as appropriate) stating something like "This machine will not 
accept credit cards."
2.      regularly expunging any files (system logs, rejected transactions, backups, etc.) where the CC data might be 
stored
3.      documenting the above steps

Thanks.

Bob Smith
AVP IITS & Information Security Officer
Longwood University