Re: PCI 3.0?

[Mike Leach <mjl9 () PSU EDU>]

Russ,

 

I'm not aware of anything in PCI DSS v3.0 that would prevent the use of
such a KIOSK. Unattended payment terminals are used in many sectors for
customers to make credit card payments. As a terminal provided for making
payments it would need to be included in your PCI scope just as a payment
terminal behind the counter used by staff.

 

A key element would be physical security so no one can add a keylogger,
screen scraper, etc. Another would be software security so they can't
break out of the KIOSK mode and get into the machine.

 

What I have seen in PCI DSS v3.0 is more importance placed on strict
inventory of payment hardware with photographs being suggested,  increased
and documented inspections for evidence of tampering and greater awareness
training of end-users on tamper detection/prevention.  For a machine in a
public space I would keep a very close eye on the card swipe to ensure
nothing is added like miscreants do on ATMs. Would it be such a headache
for the customer if it was a touch-screen only and they had to enter in
the full card number?

 

  

Thank you,

 

Mike Leach

PCI Compliance Coordinator

Security Operations and Services

The Pennsylvania State University

ITS-SOS Telephone: 814-863-9533

ITS-SOS E-Mail:  <mailto:security () psu edu> security () psu edu 

Direct Line: 814-865-0740

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russ Leathe
Sent: Thursday, March 27, 2014 1:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI 3.0?

 

Our Cashiers want a 'self-serve' KIOSK set up with a cc reader (so
students can  pay bills, fees etc..).   Is there anything in PCI 3.0 that
would kill this idea?