This message was posted by a user wishing to remain anonymous
We also had our Information Security team separate the connection from our networks.
The conduit through which the POS was connecting to the external network was compromised just before we implemented it and consumer credit card information was compromised (not our members, as we were not yet operational at that time, but for other companies using a similar set-up).
So in a case like this, I wonder if our members will care about the technicality that "they are purchasing directly from the vendor", when it's housed in our building. Seems like the responsibility to keep their information safe would still fall on us.
I really appreciate your input. I'm curious what anyone thinks about where the responsibility lies.
Original Message:
Sent: 05-18-2021 02:48 PM
From: Anonymous Member
Subject: Grab-and-go Market Vendor for Employees
This message was posted by a user wishing to remain anonymous
We had IT review our set-up just to make sure it was seperate from the network, etc. so it was not a point of vulnerability. Consumers are using their cards to purchase things in this scenario, and it is not the bank passing info to a vendor, in my opinion.
Original Message:
Sent: 05-18-2021 01:40 PM
From: Anonymous Member
Subject: Grab-and-go Market Vendor for Employees
This message was posted by a user wishing to remain anonymous
Hi,
I am in the Vendor Management Department at a financial institution and there is a market area for employees at our HQ. The market has a point of sales system which employees use to make purchases.
The machine does not store data per se but obviously processes all credit card transactions. We do consider credit card account numbers to be GLBA NPPI but are wondering- should we be reviewing due diligence for this POS vending system?
Has anyone else come across this kind of situation and what is recommended in this case?
Thanks in advance for everyone's help!