PCI Compliance & Certification for Vending Machines – Overview

PCI Compliance & Certification for Vending Machines – Overview

PCI compliance and certification for vending machines is essential as these physical containers are directly involved in the storing, processing, and transmitting of cardholder data. Additionally, because such machines are still unfortunately the target of malicious individuals – yes, people still like to steal Snicker bars, soft drinks, but now also credit card information – locking down and securing vending machines is critically important. What’s more, today’s vending machines are much more sophisticated than your old-school 1970’s & 1980’s devices that contained little to no electronic gadgetry in comparison with the now advanced digital containers found seemingly everywhere.

Rapid PCI Compliance with our PCI Policy Toolkits – Download Now

Just a quick note on the importance of policies, procedures, security awareness training, and other essential documentation for businesses that are seeking to become PCI DSS compliant. You need to remember that while the PCI DSS standards are without question technical in nature, there’s a large – and often overlooked – mandate for developing and implementing documentation. From policies and procedures to security awareness training, performing risk assessments, and more, you’ll need to put in place well-written documents, and it’s why we offer industry leading PCI Policy Compliance Toolkits for download at pcipolicyportal.com.

5 Important Things to Know Regarding PCI Compliance for Vending Machines

1. Who owns it? First and foremost, you need to ensure you have a solid understanding of who actually owns the vending machine. Why? Because most vending machines today are leased out to other entities for purposes of patron interaction. Think college campuses, bookstores, movie theatres, the mall – they don’t own the vending machines – rather, they’ve acquired them from food and beverage entities/distributors.

This is important because vending machines have what’s known in the world of PCI DSS compliance as a “shared responsibility”. Specifically, both the entity providing the vending machine and the facility where the vending machine is located must ensure the safety of cardholder data, thus BOTH organizations should perform an annual PCI compliance and certification assessment. Read below on items #2 and #3 for how this plays out in terms of “shared responsibility”.

2. Vendor Responsibilities: Are you the actual company that owns the vending machines being leased out to and/or on display at another businesses location, such as a college campus, gym, grocery store, etc.? If so, then you need to perform an actual Self-Assessment Questionnaire that address all applicable PCI DSS “Requirements” for which you are responsible for. If you are responsible for setting up, configuring, and maintain the vending machine, then the vast majority of the actual PCI DSS requirements for whichever SAQ you choose would be in scope. While the Point-of-Sale hardware affixed to the vending machines are not your responsibility in terms of PCI compliance, you do need to ensure such devices and software have gone through the various PCI specific programs for certification, such as PCI DSS, PA-DSS, etc.

So which questionnaire should be used for vending machines in terms of PCI DSS compliance – good question – and here’s our professional assessment on this issue:

First and foremost, you’ll need do understand which of the Self-Assessment Questionnaires (SAQ) you can and cannot actually even use for PCI compliance for vending machines, and here they are:

  • SAQ A: Self-Assessment Questionnaire A is for “Card-not-Present Transactions” (i.e., e-commerce or mail/telephone orders), so this is NOT allowable for PCI compliance for vending machines.
  • SAQ A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels, so this is NOT allowable for PCI compliance for vending machines.
  • SAQ B: Merchants using only (1). Imprint machines with no electronic cardholder data storage; and/or (2). Standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels, thus if the vending machine uses an actual dial-out terminal, this SAQ could be used.
  • SAQ B-IP: Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels, thus if the vending machine uses an IP connection, this SAQ could be used.
  • SAQ C-VT: Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels. This is NOT allowable as credit cards are not entered into vending machines via any type of keyboard or virtual terminal.
  • SAQ D: If you cannot find any type of fit for the above reference Self-Assessment Questionnaires (SAQ), then SAQ D can be used as a last resort. Just remember that you’ll have to spend some time going through the entire questionnaire for determining which areas are in scope and which are NA.

3. On-site Locations: Are you the actual entity leasing or physically housing the vending machines, then you also need to become PCI DSS compliant for all applicable PCI DSS “Requirements” for which you are thus responsible for. While the vast majority of the PCI DSS “Requirements” would fall on the shoulders of the vendor owning the machines, general best practices would require you to comply with various aspects of Requirement’s 9 and 12 of the PCI DSS standards. Requirement 9 calls for addressing physical security controls, while Requirement 12 address information security policies and other business specific initiatives and best practices.

4. Dual Ownership of Controls Means Dual Compliance: As is the case with vending machines, often more than one entity is involved in the overall safety and security of the cardholder data being stored, processed, and/or transmitted, thus both parties (as there are generally just two) need to complete their own applicable SAQ documents. That is now abundantly clear, but it also means you’ll have to put in place comprehensive documentation for PCI DSS compliance.

5. Documentation is Essential: When we talk about documentation, we’re speaking about policies and procedures, along with other essential materials necessary for meeting PCI DSS compliance. This means businesses need an information security policy in place, will need to ensure employees undertake annual security awareness training, possibly perform a risk assessment, and more. The amount of time it takes to develop policies from scratch can be enormous, therefore, sourcing high-quality PCI DSS SAQ policies and procedures from a proven, trusted vendor is critical. As the leading provider of PCI DSS compliance services, pcipolicyportal.com offers a wide variety of PCI Policy Packets to choose from, such as SAQ policy templates to comprehensive PCI policy toolkits containing essential documentation for becoming compliant. Getting help when you need it is what makes us different from other companies, so visit pcipolicyportal.com today to learn more.

The Global Leaders for PCI DSS Compliance Policy Documents – Download Today

PCI DSS compliance for vending machines can get a little tricky in terms of scope and the requirements for documentation, such as the policies and procedures that need to be developed. Add to the fact that often more than one organization has responsibility for compliance, and the need for a PCI expert to assist you becomes quite clear. Materdei Consulting, LLC offers comprehensive PCI compliance consulting services, along with industry leading PCI policy toolkits, PCI policies and procedures, and other supporting documents for helping you become PCI compliant. Visit pcipolicyportal.com today to learn more about our products and services.

FREE 15 Minute

PCI DSS Consultation

Talk With a Licensed PCI-QSA Expert

No thank you, I don't have any PCI compliance questions

Book a FREE 15 Minute

PCI DSS Consultation

Talk with a licensed PCI-QSA Expert

and get your compliance questions answered

100% No Cost & No Obligation