Educause Security Discussion mailing list archives
Re: PCI 3.0?
From: Blake Penn <BPenn () TRUSTWAVE COM>
Date: Fri, 28 Mar 2014 14:44:40 +0000
I would agree with Mike here - there is nothing prohibiting the use of kiosks, but they must adhere to all applicable requirements. Requirement 9.9 in version 3.0 is a new requirement that will apply here - make sure to read it carefully. Before you implement your solution, make sure to engage your QSA to evaluate the solution to make sure that it meets all the requirements. FWIW, I have lead such an engagement before and the client ended up ditching the project due to the expense and hassle of implementing the necessary controls and processes required to comply with the DSS - your particular case could be much different, of course. Best of luck. Blake Penn CISSP, PCIP, MCSE, MCSD, MCDBA, QSA, ISMS Principal Auditor Principal Consultant t: 678.685.1277 Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> DISCLAIMER: The views represented in this message reflect the personal opinions of the author alone and do not neccessarily reflect the opinions of Trustwave. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Leach Sent: Thursday, March 27, 2014 6:09 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI 3.0? Russ, I'm not aware of anything in PCI DSS v3.0 that would prevent the use of such a KIOSK. Unattended payment terminals are used in many sectors for customers to make credit card payments. As a terminal provided for making payments it would need to be included in your PCI scope just as a payment terminal behind the counter used by staff. A key element would be physical security so no one can add a keylogger, screen scraper, etc. Another would be software security so they can't break out of the KIOSK mode and get into the machine. What I have seen in PCI DSS v3.0 is more importance placed on strict inventory of payment hardware with photographs being suggested, increased and documented inspections for evidence of tampering and greater awareness training of end-users on tamper detection/prevention. For a machine in a public space I would keep a very close eye on the card swipe to ensure nothing is added like miscreants do on ATMs. Would it be such a headache for the customer if it was a touch-screen only and they had to enter in the full card number? Thank you, Mike Leach PCI Compliance Coordinator Security Operations and Services The Pennsylvania State University ITS-SOS Telephone: 814-863-9533 ITS-SOS E-Mail: security () psu edu Direct Line: 814-865-0740 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russ Leathe Sent: Thursday, March 27, 2014 1:36 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI 3.0? Our Cashiers want a 'self-serve' KIOSK set up with a cc reader (so students can pay bills, fees etc..). Is there anything in PCI 3.0 that would kill this idea? ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
Current thread:
- PCI 3.0? Russ Leathe (Mar 27)
- Re: PCI 3.0? Mike Leach (Mar 27)
- Re: PCI 3.0? Blake Penn (Mar 28)
- Re: PCI 3.0? Mike Leach (Mar 27)