Re: PCI 3.0?

[Blake Penn <BPenn () TRUSTWAVE COM>]

I would agree with Mike here - there is nothing prohibiting the use of kiosks, but they must adhere to all applicable 
requirements.  Requirement 9.9 in version 3.0 is a new requirement that will apply here - make sure to read it 
carefully.



Before you implement your solution, make sure to engage your QSA to evaluate the solution to make sure that it meets 
all the requirements.  FWIW, I have lead such an engagement before and the client ended up ditching the project due to 
the expense and hassle of implementing the necessary controls and processes required to comply with the DSS - your 
particular case could be much different, of course.



Best of luck.

Blake Penn  CISSP, PCIP, MCSE, MCSD, MCDBA, QSA, ISMS Principal Auditor
Principal Consultant
t: 678.685.1277

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

DISCLAIMER: The views represented in this message reflect the personal opinions of the author alone and do not 
neccessarily reflect the opinions of Trustwave.


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike 
Leach

Sent: Thursday, March 27, 2014 6:09 PM

To: SECURITY () LISTSERV EDUCAUSE EDU

Subject: Re: [SECURITY] PCI 3.0?



Russ,



I'm not aware of anything in PCI DSS v3.0 that would prevent the use of such a KIOSK. Unattended payment terminals are 
used in many sectors for customers to make credit card payments. As a terminal provided for making payments it would 
need to be included in your PCI scope just as a payment terminal behind the counter used by staff.



A key element would be physical security so no one can add a keylogger, screen scraper, etc. Another would be software 
security so they can't break out of the KIOSK mode and get into the machine.



What I have seen in PCI DSS v3.0 is more importance placed on strict inventory of payment hardware with photographs 
being suggested,  increased and documented inspections for evidence of tampering and greater awareness training of 
end-users on tamper detection/prevention.  For a machine in a public space I would keep a very close eye on the card 
swipe to ensure nothing is added like miscreants do on ATMs. Would it be such a headache for the customer if it was a 
touch-screen only and they had to enter in the full card number?





Thank you,



Mike Leach

PCI Compliance Coordinator

Security Operations and Services

The Pennsylvania State University

ITS-SOS Telephone: 814-863-9533

ITS-SOS E-Mail: security () psu edu

Direct Line: 814-865-0740



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russ 
Leathe

Sent: Thursday, March 27, 2014 1:36 PM

To: SECURITY () LISTSERV EDUCAUSE EDU

Subject: [SECURITY] PCI 3.0?



Our Cashiers want a 'self-serve' KIOSK set up with a cc reader (so students can  pay bills, fees etc..).   Is there 
anything in PCI 3.0 that would kill this idea?

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under 
applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, 
distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If 
you received this transmission in error, please immediately contact the sender and destroy the material in its 
entirety, whether in electronic or hard copy format.