PCI Compliance Gotcha: Directing Customers to Labs/Kiosks
Many merchants use third-party payment systems or gateways for online payment card processing, often at the direction of their PCI Team, as this is an excellent way to reduce the organization’s PCI scope and push the majority of the responsibility to the vendor.
However, it is important to remember that customers should always be completing these payments online using their own personal devices. Staff should not be entering payment information on behalf of customers into these online sites.
One alternative that our QSAs often discover is that staff are directing customers to kiosks or computer labs where they can make tuition payments, purchase printing funds, complete applications, etc. If employees are specifically directing students and other customers to use organizational equipment (including computer labs, kiosks, or other public-use computers) to make payments, this can inadvertently bring these devices (and the organization’s network) into PCI scope.
When a computer workstation utilized for payment processing, it then falls into PCI scope and must be secured according to the PCI DSS. This means it must only allow access to documented and approved functions and websites, and should be segmented from the rest of the organization’s network. Controls must be implemented including approved firewall configuration, formal vulnerability and patch management program, change control, audit logging, vulnerability scanning, penetration testing, and file integrity monitoring.
To avoid the inclusion of your equipment and network being pulled into PCI scope, instruct staff to never direct a customer to a specific computer or kiosk. Instead, let them know that they can go to the approved website via any computer device that they feel comfortable using. If there are generally available equipment nearby and they chose to use it, that is their choice; you will not have offered nor recommended that they use it and there will be no implied or assumed security surrounding that device.
That said, if there are general purpose, public-use computers nearby, the likelihood is that some of these payers will choose to use them to go to the hosted website. It is therefore recommended that you have signs with disclaimer language in those areas. Here is an example with several key components that you may want to consider including:
Users access lab computers and associated software at their own risk. Users should not enter bank account or payment card information on these systems. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. _________ is not responsible for equipment malfunction, damage to disks, loss of data, transmission of data (secure or otherwise), data saved on the computer, or for personal computers, laptops, or other devices.
Unauthorized or improper use of lab computers may result in administrative disciplinary action, and civil or criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use.
If a data breach was to originate from your organization’s computer lab and you are found to have been encouraging the use of these systems, your organization would be responsible and would be held liable for any cardholder data that was breached due to the lack of PCI-specific controls within the lab.
Staff should not be directing customers or offering payment card entry on any device that has not been properly configured, secured, and approved by the PCI Team for that purpose.
Additional guidance from the Security Advisor Team below:
[Burt]: This article addresses one of the more difficult processes to change in Higher Education, the directing of students/customers to computer labs and/or other public computers around campus to complete some type of registration (or similar process) that involves making a payment with a credit card.
I have been with CampusGuard for almost 6 years and have performed many assessments over that time. I am not sure I recall one review that did not result in either uncovering that staff are using computers to help customers complete their transactions, or more pertinent to this discussion, employees are directing individuals to a computer lab or similar area on campus with computers that can be utilized to make payments. Unfortunately, when we redirect customers to university or college systems to eventually perform a payment card transaction, we are saying the device being used will keep the customer’s data secure, and it also bring the system and associated networks into PCI scope. For customers who are trying to only implement/maintain a cardholder environment that relies on reduced scope (e.g. just utilizing PTS approved payment card devices from the bank, PCI-listed P2PE solutions, and outsourcing to PCI compliant third party service providers), the directing of customers by staff to college systems can place an entity’s PCI compliance in jeopardy.
I understand the intent of our customers is to provide good customer service and provide means to collect payment. However, in this case, it is better to direct customers to an office on campus that can collect payments in a compliant manner, or explain to the customer they can register and make a payment online by using their own personal device (and on their own time).