PCI Compliance Kiosks – CAT or Cardholder Activated Terminals FAQ

By | July 24, 2023
Cardholder Activated Terminal Mastercard

Cardholder Activated Terminals FAQ

There are two primary classifications of Point of Sale Terminal Types: Attended and Unattended Payment Terminals are classified into two major types, depending on the situation:

  1. Attended Terminals
    1. A POS Transaction occurring at an attended POS Terminal is a face-to-face Transaction, since a Sales Person or Representative is present at the time of the Transaction.
  2. Unattended Terminals or Cardholder Activated Terminals (CATs)
    1. A POS Transaction occurring at an unat­tended POS Terminal is a non-face-to-face Transaction, as NO Sales Person or Represen­tative is present at the time of the Trans­action. Examples of unattended POS Terminals include ticket dis­pen­sing machines, vending machines, auto­mated fuel dispensers, toll booths, kiosks, and parking meters.

Saying Yes to a McDonalds, Costco or a Home Depot

Quasi Classification of “Semi-Attended” — This is a gray area coined by processors in order to permit use of Attended Terminals in an Unattended Mode. Typically this is seen by large corporations (e.g. Home Depot, Costco) where they wish to use the same terminals throughout the business case with the same liability. The processors will “concede” to the use but only with additional stipulations for use. Preconditions for obtaining such a classification by the processor is directly related to leverage the corporation may exert. Small business is not in that position.

CAT Definitions

The generally used CAT definitions for Mastercard for example are for CAT1, CAT2, CAT3, CAT4, CAT6, CAT7 and CAT9

CAT Restrictions

CAT PCI Restrictions

CAT PCI Restrictions

Comments

As far as the PCISSC is concerned there is no such thing as “semi-attended.” A device is either an attended device (used with the assistance and under the supervision of a representative of the merchant) or is unattended (cardholder activated and used for self-service). This gray area of “Semi attended” was coined by the processors who allow some merchants to use attended terminals in unattended situations which always comes with stipulations like the terminal must be only accessible during business hours and up to X number of self-checkout stations have to be supervised by an attendant, or you can’t sell alcohol or cigarettes at them. The alcohol stipulation was changed a while back by having the attendant at the self-checkout area check the ID and either swipe a badge or enter a code to allow for the sale of age-restricted products. If a kiosk solution provider wants to do everything aboveboard from a PCISSC perspective they should use unattended devices so that no exceptions ever have to be sought to operate in this semi-attended gray area with their prospective client’s processor. Use case and terminal model to be used are made part of a merchant account application and it is always possible an underwriter who reviews that application for risk might flag an attended device used at a kiosk as unacceptable. Also when it comes to an EMV certification, there is a whole host of tests scrips the person doing the certification has to run through to get an L3 EMV cert with a processor, and when the use case is for self-service there are additional tests cases that have to be run for the L3 EMV cert to cover unattended. It’s all-around best practice to use a device designed for self-service basically.

Resources

For more information visit one of our sponsors: