NACAS Main

PCI and POS Connectivity

  • 1.  PCI and POS Connectivity

    Posted 19 days ago
    Do you allow contracted food services providers to operate their POS on the campus network or require the vendor to provide its own T1 line? If you do provide access, how do you handle PCI? Do you have contract language that speaks to PCI compliance responsibility?

    Thank you


    ------------------------------
    Jessica Bender, CASP, MBA
    Palm Beach State College
    Manager, Aux. Services & College Card
    Lake Worth FL
    United States
    ------------------------------


  • 2.  RE: PCI and POS Connectivity

    Posted 18 days ago
    At the University of Florida, Aramark uses a Point-to-Point Encryption (P2PE) solution for credit card readers. This allows the devices to be connected to our network without bringing the network into scope for PCI compliance.

    Our contract states "CONTRACTOR will be responsible for all point of sales equipment necessary to accept the Gator 1 Card, credit cards, cash and future debit cards." and "Such equipment must be compliant with industry security standards."

    We continuously collaborate with our central IT group, our Treasury Management group, and Aramark to maintain a good security and compliance posture.

    ------------------------------
    Wilcley Lima
    University of Florida
    Associate Director, Auxiliary Services
    Gainesville FL
    United States
    ------------------------------



  • 3.  RE: PCI and POS Connectivity

    Posted 18 days ago
    Hi Jessica,

    The answer to your question is totally reliant on the which level of self-assessment questionnaire (SAQ) your College has chosen to answer/submit. There are 4 levels, A-D all requiring different things.

    For example, if Palm Beach State has decided to go with a SAQ B, which Langara has, no credit card data can touch the network, whatsoever. If a SAQ C or D was submitted then your Food service provider would be in scope and would need to do all things that the College has to, to qualify for a C or D. I don't think contract language would matter to the credit card companies if on your network. You would be fined no mater although they might be liable. Either way the PR problem would negate any financial liability, in my opinion.

    We require our Food Service provider to set up their own network and chose to be compliant as they see fit.
    Thanks,
    Mark

    ------------------------------
    Mark Adams
    Langara College
    Director Ancillary Services
    Vancouver BC
    Canada
    ------------------------------