KIosk pci compliance isn’t enough

By | June 22, 2015

PCI Compliance for Kiosks

PCI compliance is up — but it’s not enough to protect retailers from fraud.

Source: nrfcom

So you built an 8 foot wall guess what? somebody will build a 10 foot ladder.


PCI Compliance for Kiosks

Kiosks are becoming increasingly popular in a variety of industries, from retail to healthcare to hospitality. While kiosks offer many benefits, such as convenience and self-service, they also pose unique security challenges. Kiosks often accept credit and debit card payments, which makes them a prime target for hackers.

To protect cardholder data, kiosks must comply with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of security standards developed by the PCI Security Standards Council (PCI SSC), a consortium of the major credit card companies. PCI DSS is designed to ensure that all organizations that process, store, or transmit credit card data do so in a secure manner.

Why is PCI compliance important for kiosks?

Kiosks are often located in public places, such as retail stores, airports, and hotels. This makes them more vulnerable to attack than traditional point-of-sale (POS) terminals, which are typically located behind secure counters. Additionally, kiosks are often unattended, which means that there is no one to monitor them for suspicious activity.

PCI compliance helps to mitigate the security risks associated with kiosks. By following the PCI DSS requirements, kiosk operators can help to protect cardholder data from unauthorized access, theft, and misuse.

What are the requirements for PCI compliance for kiosks?

The PCI DSS requirements for kiosks are the same as the requirements for any other organization that processes, stores, or transmits credit card data. However, there are some specific considerations that kiosk operators need to be aware of.

One important consideration is the type of kiosk. There are two main types of kiosks: attended and unattended. Attended kiosks have a staff member present to assist customers. Unattended kiosks do not have a staff member present.

Unattended kiosks are considered to be at a higher risk than attended kiosks. Therefore, unattended kiosks must meet additional PCI DSS requirements, such as:

  • Physical security measures: Unattended kiosks must be physically secured to prevent tampering and theft. This may include measures such as bolting the kiosk to the ground or using a security cage.
  • Video surveillance: Unattended kiosks must be monitored by video surveillance. This will help to deter unauthorized access and to identify and prosecute criminals if a breach does occur.
  • Strong authentication: Unattended kiosks must use strong authentication methods to protect against unauthorized access. This may include measures such as PINs, two-factor authentication, or biometric authentication.

In addition to the specific requirements for unattended kiosks, all kiosks must meet the following general PCI DSS requirements:

  • Build and maintain a secure network: The kiosk network must be segmented from the rest of the organization’s network. This will help to prevent malware from spreading from the kiosk to other systems.
  • Protect cardholder data during storage and transmission: Cardholder data must be stored and transmitted in a secure manner. This may involve using encryption, tokenization, or other security measures.
  • Restrict access to cardholder data: Access to cardholder data must be restricted to authorized personnel only. This may involve using role-based access control, password management, and other security measures.
  • Monitor and test networks regularly: The kiosk network and security systems must be monitored and tested on a regular basis to identify and address any vulnerabilities.
  • Maintain an information security policy: The organization must have an information security policy in place that addresses all of the PCI DSS requirements.

How to achieve PCI compliance for kiosks

There are a number of steps that kiosk operators can take to achieve PCI compliance:

  1. Assess your current security posture: The first step is to assess your current security posture to identify any gaps in PCI DSS compliance. You can do this by conducting a self-assessment or by hiring a qualified security assessor.
  2. Develop a PCI DSS compliance plan: Once you have identified any gaps in compliance, you need to develop a plan to address them. This plan should include specific timelines and milestones.
  3. Implement the PCI DSS requirements: Once you have developed a compliance plan, you need to implement the PCI DSS requirements. This may involve making changes to your network architecture, security systems, and operational procedures.
  4. Validate your PCI DSS compliance: Once you have implemented the PCI DSS requirements, you need to validate your compliance. This can be done by conducting an internal self-assessment or by hiring a qualified security assessor.

PCI compliance is an ongoing process. Kiosk operators need to continuously monitor and test their security systems to ensure that they are effective in protecting cardholder data.

Author: Staff Writer

Craig Keefner -- With over 40 years in the industry and technology, Craig is widely considered to be an expert in the field. Major early career kiosk projects include Verizon Bill Pay kiosk and hundreds of others. Craig helped start kioskmarketplace and formed the KMA. Note the point of view here is not necessarily the stance of the Kiosk Association or kma.global