Educause Security Discussion
mailing list archives
Re: PCI 3.0?
From: Mike Leach <mjl9 () PSU EDU>
Date: Thu, 27 Mar 2014 18:08:59 -0400
I'm not aware of anything in PCI DSS v3.0 that would prevent the use of
such a KIOSK. Unattended payment terminals are used in many sectors for
customers to make credit card payments. As a terminal provided for making
payments it would need to be included in your PCI scope just as a payment
terminal behind the counter used by staff.
A key element would be physical security so no one can add a keylogger,
screen scraper, etc. Another would be software security so they can't
break out of the KIOSK mode and get into the machine.
What I have seen in PCI DSS v3.0 is more importance placed on strict
inventory of payment hardware with photographs being suggested, increased
and documented inspections for evidence of tampering and greater awareness
training of end-users on tamper detection/prevention. For a machine in a
public space I would keep a very close eye on the card swipe to ensure
nothing is added like miscreants do on ATMs. Would it be such a headache
for the customer if it was a touch-screen only and they had to enter in
the full card number?
PCI Compliance Coordinator
Security Operations and Services
The Pennsylvania State University
ITS-SOS Telephone: 814-863-9533
ITS-SOS E-Mail: <mailto:security () psu edu> security () psu edu
Direct Line: 814-865-0740
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russ Leathe
Sent: Thursday, March 27, 2014 1:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI 3.0?
Our Cashiers want a 'self-serve' KIOSK set up with a cc reader (so
students can pay bills, fees etc..). Is there anything in PCI 3.0 that
would kill this idea?
- PCI 3.0? Russ Leathe (Mar 27)
- Re: PCI 3.0? Mike Leach (Mar 27)