Toughey Talks
PCI-PA-DSS: Type or Swipe and You're In
February 25, 2010
There certainly is a lot of confusion right now about PCI rules, cashiering-like systems, and what's in or out of scope. There's so much confusion, in fact, that we really don't know what to call these systems - cashiering systems, virtual terminals, web stations, or what. With new PCI compliance deadlines looming July 1, it's time to clear things up.
Let's start by coining a new name for the whole category of electronic transactions made at the point-of-payment. Let's call them p.Commerce for "in person" or "physical" transactions. This will make it easier to shift discussions between "online" (e.Commerce) and "physical" (p.Commerce) payments.
Next, the mission is to identify those physical locations around campus where credit/debit card data is either "typed or swiped" into a computer system.
Here are a few examples of routine activities...
- A clerk in the Alumni Office pulls up a spreadsheet on his desktop computer containing donor names and card numbers and proceeds to type recurring donations into a gifting application.
- A student walks into the Cashiering Office to pay her housing fee. The cashier pulls up the student's account record and then swipes a credit card into a cashiering system to complete the transaction.
- A staff member in Accounting uses her laptop to type a credit card number into a web hosted payment page for a student who called in a request to pay a library fine
Each of the above is an example of a p.Commerce transaction that falls under the broad umbrella of PCI DSS requirements. In addition, true cashiering systems with swipe devices are generally subject to both PA-DSS and PCI PTS requirements. These later two security requirements are easy for your campus because they are the responsibility of your system provider. Your campus only has to make sure you are using solutions properly certified as of July 1, 2010.
There are some who hope that using a web-based, hosted system for p.Commerce moves you out of scope of PCI compliance. This is simply not the case.
The bottom line is this: TYPE or SWIPE and you're IN scope.
Thanks for reading.
Dan Toughey
dan2e@touchnet.com
Toughey Talks
PCI-PA-DSS: Type or Swipe and You're In
February 25, 2010
There certainly is a lot of confusion right now about PCI rules, cashiering-like systems, and what's in or out of scope. There's so much confusion, in fact, that we really don't know what to call these systems - cashiering systems, virtual terminals, web stations, or what. With new PCI compliance deadlines looming July 1, it's time to clear things up.
Let's start by coining a new name for the whole category of electronic transactions made at the point-of-payment. Let's call them p.Commerce for "in person" or "physical" transactions. This will make it easier to shift discussions between "online" (e.Commerce) and "physical" (p.Commerce) payments.
Next, the mission is to identify those physical locations around campus where credit/debit card data is either "typed or swiped" into a computer system.
Here are a few examples of routine activities...
- A clerk in the Alumni Office pulls up a spreadsheet on his desktop computer containing donor names and card numbers and proceeds to type recurring donations into a gifting application.
- A student walks into the Cashiering Office to pay her housing fee. The cashier pulls up the student's account record and then swipes a credit card into a cashiering system to complete the transaction.
- A staff member in Accounting uses her laptop to type a credit card number into a web hosted payment page for a student who called in a request to pay a library fine
Each of the above is an example of a p.Commerce transaction that falls under the broad umbrella of PCI DSS requirements. In addition, true cashiering systems with swipe devices are generally subject to both PA-DSS and PCI PTS requirements. These later two security requirements are easy for your campus because they are the responsibility of your system provider. Your campus only has to make sure you are using solutions properly certified as of July 1, 2010.
There are some who hope that using a web-based, hosted system for p.Commerce moves you out of scope of PCI compliance. This is simply not the case.
The bottom line is this: TYPE or SWIPE and you're IN scope.
Thanks for reading.
Dan Toughey
dan2e@touchnet.com