Educause Security Discussion mailing list archives
Re: PCI compliance question
From: "Marley, Tim" <tim.marley () OU EDU>
Date: Thu, 8 Jul 2010 19:44:52 +0000
Jeff, Be careful with this one. While I agree with many of the comments in this thread, you run the risk of being labeled as a service provider. On the surface, I think you're okay and the biggest risk is really in the terms of the contract with the vending machine vendor. That is, will they require you to provide a PCI-compliant hosting environment for their product? We ran up against this in a similar, albeit different proposal with an external vendor wanting us to provide them with network service for their cardholder environment. We were NOT the merchant, it was NOT our merchant ID, but it took several QSAs to agree that we were safe in that case and would not be held responsible as a service provider. In that situation, the concessions vendor was merely providing a service on our behalf and we were not 'hosting' their environment. I suspect the same would be true of you, but I'd recommend careful consideration either way. Tim Timothy J. Marley CPA * CISSP * CITP * CISM * CISA * GSNA * CPISM/A * CIPP Senior IT Compliance Auditor University of Oklahoma Information Technology, Security Team office 405.325.5418 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeff Kell Sent: Thursday, July 08, 2010 2:08 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI compliance question On 7/8/2010 3:01 PM, Lazarus, Carolann wrote:
My issue with this is that he said the machines transmit the CC to the server. I'm not an expert, but I believe any transmission of CC falls under PCI, even if the transaction is rejected. The transmission has to be secure. IMO
Along a similar vein... I caught the tail-end of a committee meeting request to put a "Red Box"-like machine on campus to rent DVDs and video games. It takes [real] credit cards. They wanted an "Internet" connection from us. Is the PCI responsibility on the box-owner/vendor, or will we become the unwilling participant in a PCI network by providing such a connection? Not sure where "the buck stops" with respect to a turnkey appliance sort of device, nor exactly how it technically differs from a user doing CC transactions from their own computer (over our network). Jeff
Current thread:
- Re: PCI compliance question, (continued)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Michael Benedetto (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Sarazen, Daniel (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Kevin Hayes (Jul 08)
- Re: PCI compliance question Eric C. Lukens (Jul 08)
- Re: PCI compliance question Jeff Kell (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Jon Hanny (Jul 08)
- Re: PCI compliance question Marley, Tim (Jul 08)
- Re: PCI compliance question Joel Rosenblatt (Jul 08)
- Re: PCI compliance question Paul Kendall (Jul 09)
- Re: PCI compliance question Joel Rosenblatt (Jul 09)