In a typical retail business, there is no question about what the cashiering PC in the checkout lane does. It takes payments. Period. It wouldn’t be used to check email, run ERP reports, or access the Internet. Most colleges and universities, however, want the flexibility to use their cashiering PCs for multiple purposes. This creates challenges with PCI compliance.
Some campuses hoped to solve this problem by moving selected in-person and back-office payment functions to Virtual Terminals. A Virtual Terminal is a stripped-down cashiering station (no card reader) that uses a web browser to access remotely hosted payment software. There was a school of thought that this arrangement would eliminate these PCs from the scope of PCI compliance and maintain the flexibility to use them as business computers, too.
Not so. PCI 2.0 has clarified this issue as it has other “gray areas” of PCI compliance. Virtual Terminals are definitely in scope. What’s more, PCI 2.0 even provides a new Self Assessment Questionnaire specifically for reporting on systems using Virtual Terminals (PCI SAQ C-VT). The bottom line is that any PC you use to type or swipe cardholder data is in your PCI scope. (See Type or Swipe and You're In, February 25, 2010.)
So it’s back to square one. The question remains: what can you do within PCI guidelines that lets you use your cashiering PCs for other business purposes as well? The good news is that a new and unfolding generation of payment technology will help you remove cashiering PCs from your PCI scope. You’ll soon be able to use cashiering PCs for multiple business tasks without impacting PCI compliance at all. I’ll address that topic in my next Toughey Talks.