At some of my company's locations, we have business centers where people can pay for Internet access with their credit card on specific machines. These machines are owned by my company, but we run Internet Kiosk software on them (Purchased from a vendor) that processes the credit card and does the whole Internet access thing. The kiosk software is not on the Visa validated payment application listing. The Internet kiosks are not on our corporate network; they have a dedicated DSL line for the Internet access. Additionally, my company doesn't store, transmit, or process the credit cards; the software does that through their bank.

Because my company isn't touching any of the credit card data, is there anything that we need to do from a PCI perspective in this scenario?

Would we need to force the Internet Kiosk vendor to get their software PCI compliant, find another Internet kiosk vendor who is PCI compliant, or does it not really concern my company because we don't touch any of the credit card data? Would anything change if the machines were not owned by my company, and owned instead by the vendor? Do we need to make sure we have PCI-compliant language in the contract?

If a credit card breach were to stem from the Internet Kiosk software, one of the things I am most worried about is the reputational damage to our brand from the collateral damage of the software being run at our locations.

Any thoughts or comments would be greatly appreciated. I've been reading on this topic so much lately that I'm beginning to confuse myself :confused: and need an outside view on it!

Speak to your bank and get their confirmation on who is responsible, then proceed from there.
Because the payments are being made on your company's merchant facility (I assume from the provided description), the PCI responsibility belongs to your company, regardless of any other arrangements in place.

How you go about achieving/maintaining compliance will vary, depending on a number of operational factors.

Since machine is owned by your company (and thus 'touches cardholder data), and runs company appoved software, your company needs to verify the software enables PCI compliance. Probably the best option in the near term is to get the software provider, and their payment gateway, to provide formal statements (letters, contract terms) on the compliance status on the software and gateway.

You will need to get the payment software validated as PCI compliant as the PABP/PA DSS requirments come into mandated effect over coming months/years - see Visa's and the SSC's announcements.

In the event the payments are made to the third party software vendor's merchant facility then reimbursed to you, then most/all PCI compliance responsibility appplies to that merchant/software provider.

lyalc

The Internet kiosks are not on our corporate network; they have a dedicated DSL line for the Internet access.

One thing I'm curious about by its absence - is there a firewall between the Internet kiosks and the Internet? I'm hoping this is the case, but want to confirm this fact. If there is a firewall, the next thing is if the firewall is properly configured to protect these kiosks?

Because my company isn't touching any of the credit card data, is there anything that we need to do from a PCI perspective in this scenario?

I would agree with Lyalc in that it's your company's reputation on the line if any of these kiosks get breached. So, I would ask your management to determine if that risk is acceptable or if additional steps should be taken to address the risks.

Would we need to force the Internet Kiosk vendor to get their software PCI compliant, find another Internet kiosk vendor who is PCI compliant, or does it not really concern my company because we don't touch any of the credit card data?

I would approach the vendor and see if they intend to get their software PABP or PA-DSS certified. If they cannot answer this simple question, I would recommend finding a new vendor. Again, it's your company's reputation, so if management wants this risk better addressed, this would be one big way to address one of the largest risks.

Would anything change if the machines were not owned by my company, and owned instead by the vendor?

I'm not really sure anything changes since the systems are on your property. However, a large sign with a disclaimer stating that anyone using the machines use them at their own risk and that your company is not responsible for any of these risks might be a good idea. It doesn't get you entirely off the legal hook, but it does mitigate things some if a breach occurs and you get dragged into court. You can at least show the court that you had warned people that a risk existed.

Do we need to make sure we have PCI-compliant language in the contract?

Without a doubt you should ALWAYS get PCI compliance language in your contracts with third parties that process, store or transmit cardholder data (CHD) from your facilities. You should also get language that indemnifies your company in the event that the third party suffers a breach or other adverse event.

Thanks for your thoughts on this.

After speaking with the vendor in more detail, it looks like they process the credit card through Authorize.net and then cut our locations a revenue sharing check once a month. I'm going to take your advice jbhall56 and make sure we put some type of sign up saying this is operated by a third party as well as making sure our contract language is adequate.

As far as the Internet connection goes, it is using a DSL line, but I will have to check on the firewall.