Re: PCI keeping it simple

[Paul Chauvet <chauvetp () NEWPALTZ EDU>]

Since as far as I'm aware Square's devices aren't on the PCI validated list of P2PE (Point-to-Point Encrypted) 
technologies - it is mostly an issue of compliance with PCI.

If you are using only validated P2PE devices, you can fill out the shorter P2PE SAQ for these.  If it isn't validated 
but is still P2PE - then you can still use those for scope reduction - which is still helpful.  You still need the more 
expansive SAQ C (assuming these are your only devices on the merchant ID) though.

Note: Not a PCI QSA - so don't take anything I say as gospel.

Paul Chauvet, CISSP
Information Security Officer
State University of New York at New Paltz
845-257-3828
chauvetp () newpaltz edu<mailto:chauvetp () newpaltz edu>
[emlogo]

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Yost, Davis
Sent: Tuesday, April 23, 2019 4:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI keeping it simple

Question:

So, I was just asked how is this different then the devices that our one card vendor sells us?

https://squareup.com/help/us/en/article/3797-secure-data-encryption

Is anyone allowing or using Square on their administration production network?

Thoughts??

Thank you,

Davis Yost
Associate Director, Information Technology Security
yost () northwood edu<mailto:yost () northwood edu>

989.837.4185 office
989.837.4184 fax
Developing Leaders of a Global Free-Enterprise