Educause Security Discussion mailing list archives
Re: PCI 3.0?
From: Mike Leach <mjl9 () PSU EDU>
Date: Thu, 27 Mar 2014 18:08:59 -0400
Russ, I'm not aware of anything in PCI DSS v3.0 that would prevent the use of such a KIOSK. Unattended payment terminals are used in many sectors for customers to make credit card payments. As a terminal provided for making payments it would need to be included in your PCI scope just as a payment terminal behind the counter used by staff. A key element would be physical security so no one can add a keylogger, screen scraper, etc. Another would be software security so they can't break out of the KIOSK mode and get into the machine. What I have seen in PCI DSS v3.0 is more importance placed on strict inventory of payment hardware with photographs being suggested, increased and documented inspections for evidence of tampering and greater awareness training of end-users on tamper detection/prevention. For a machine in a public space I would keep a very close eye on the card swipe to ensure nothing is added like miscreants do on ATMs. Would it be such a headache for the customer if it was a touch-screen only and they had to enter in the full card number? Thank you, Mike Leach PCI Compliance Coordinator Security Operations and Services The Pennsylvania State University ITS-SOS Telephone: 814-863-9533 ITS-SOS E-Mail: <mailto:security () psu edu> security () psu edu Direct Line: 814-865-0740 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russ Leathe Sent: Thursday, March 27, 2014 1:36 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI 3.0? Our Cashiers want a 'self-serve' KIOSK set up with a cc reader (so students can pay bills, fees etc..). Is there anything in PCI 3.0 that would kill this idea?
Current thread:
- PCI 3.0? Russ Leathe (Mar 27)
- Re: PCI 3.0? Mike Leach (Mar 27)
- Re: PCI 3.0? Blake Penn (Mar 28)
- Re: PCI 3.0? Mike Leach (Mar 27)