Kiosks that accept card payments are required to comply with the Payment Card Industry Security Standards Council’s data security standards.
The PCI SSC was set up in 2006 by American Express, Discover Financial Services, JCB International, MasterCard and Visa, and is responsible for maintaining and updating the Payment Card Industry Data Security Standard and related card security standards.
Like point-of-sale terminals and ATMs, kiosks have to comply with the PCI DSS, whose purpose is to protect cardholder information from unauthorized access. Although compliance with PCI DSS is costly and time-consuming, requiring annual validation, non-compliance will lead to greater costs in the long run.
Penalties for non-PCI DSS compliance include substantial fines from the card schemes, as well as liability for fraud losses resulting from data breaches, not to mention loss of customer confidence.
“PCI DSS has 12 core requirements, which include encryption, network security, firewalls and access controls,” Kevin Connor, director of product strategy at U.S. retail software vendor Retail Pro, said. “For example, PCI DSS requires that kiosks and other payment terminals are physically secure and tamper-resistant, so someone can’t gain access through the kiosk enclosure to the computer within the kiosk.”
The latest version of PCI DSS, version 3.0, includes a new clause requiring organizations operating payment terminals and ATMs to protect their card readers from tampering and substitution.
In addition to complying with PCI DSS, kiosks have to use application software developed in compliance with the PCI SSC’s Payment Application Data Security Standard and encrypting PIN pads complying with the PCI PIN Transaction Security Point of Interaction standard. “Whatever payments application is running on the kiosk must be PCI-validated on an annual basis,” Connor said.
EPP approvals under version 1 of the PCI PTS POI standard — also known as PCI PED, for PIN Entry Device — expire on April 30, 2014. This means any kiosks purchased and installed or moved after April 30, 2014 will need an EPP compliant with at least version 2 of PCI PTS POI.
“Other than PCI DSS, PA-DSS and PTS POI compliance, there are no specific PCI requirements for kiosks and other unattended payment terminals,” Jeremy Gumbley, CTO at vending machine and kiosk payment services provider CreditCall, said.
“To be PCI-compliant, kiosks should never store payment card numbers locally, and they must have a secure network connection, whether they are using Wi-Fi, a cellular connection or a hardwired connection,” Connor said.