PCI Kiosk Compliance Tips for COVID and Small Merchants by PCI SSC

By | December 5, 2020

Kiosk PCI Compliance Tips from PCI SSC

OTI Contactless Credit Card Reader

OTI Contactless Credit Card Reader

July 2021 Update — See the updated KMA PCI EMV Credit Card Reader Update – includes a preview of v6 devices from Ingenico. We also have finalized 30×10 matrix of POS devices and specific capabilities and features.

From PCI SSC –  The COVID-19 pandemic is quickly changing how many small merchants accept payments. Merchants that previously only had brick-and-mortar locations are moving to accept e-commerce and over-the-phone transactions. PCI Security Standards Council shares key
considerations to help small merchants keep their customers’ payment data secure in this rapidly changing environment.

One tip from Kiosk Industry Group is to understand and know what access, if any, your vendors and supply chain have access to.  The Target breach for example was due to a vendor using out-of-date free Malware protection on their PC and getting in via Microsoft infrastructure.

TIP #1: REDUCE WHERE PAYMENT CARD DATA CAN BE FOUND

The best way to protect against data breaches is not store card data at all. Many small merchants are offering curbside pickup now and are accepting telephone payments in lieu of former face-to-face transactions. Avoid writing payment card details down and instead enter them directly into your secure terminal. More Information: PCI SSC Special Interest Group Paper: Accepting Telephone Payments Securely

TIP #2: USE STRONG PASSWORDS

The use of weak and default passwords is one of the leading causes of payment data breaches for businesses. To be effective, passwords must be strong and updated regularly. Weak and vendor default passwords are a frequent source of small merchant breaches. More Information: Strong Passwords Infographic

TIP #3: KEEP SOFTWARE PATCHED AND UP TO DATE

Criminals look for outdated software to exploit flaws in unpatched systems. Timely installation of security patches is crucial to minimize the risk of being breached. One way to keep up with all the necessary changes is by ensuring vulnerability scans are performed regularly to identify security issues. PCI Approved Scanning Vendors (ASVs) can help you identify vulnerabilities and misconfigurations in your Internet-facing payment systems, e-commerce website, and other systems, providing a report of your vulnerabilities and how to address them—for example, what patches to
apply. Be sure to act upon the results of ASV vulnerability scans and keep your software up to date. More Information: Patching Infographic

TIP #4: USE STRONG ENCRYPTION

Encryption makes payment card data unreadable to people without a specific key, and can be used to protect stored data and data transmitted over a network. Ask your vendor whether your payment terminal encryption is done via a Point-to-Point Encryption solution and is on the PCI SSC’s List of PCI P2PE Validated Solutions. If you are setting up a new website, confirm the shopping cart provider is using proper encryption, such as TLS v1.2, to protect your customers’ data. More Information: Information Supplements on Use of SSL/Early TLS

TIP #5: USE SECURE REMOTE ACCESS

To minimize the risk of being breached, it’s important that you take part in managing how and when your vendors can access your systems. Criminals can gain access to your systems that store, process, or transmit payment data through weak remote access controls. You should limit use of remote access and disable it when not needed. If you must allow remote access, ask your vendors to use multi-factor authentication and strong remote access credentials that are unique to your business and not the same as those used for other customers. More Information: PCI SSC Secure Remote Access Infographic

TIP #6: ENSURE FIREWALLS ARE CONFIGURED PROPERLY

A firewall is a device or software that sits between your network and the Internet. It acts as a barrier to keep traffic out of your network and systems that you don’t want and didn’t authorize. Firewall rules can seem complex, but configuring them properly is vital to security. If you require additional assistance to properly configure your firewall, seek help from a network professional. More Information: Resource for Small Merchants: Firewall Basics

TIP #7: THINK BEFORE YOU CLICK

Hackers use phishing and other social engineering methods to target organizations with legitimate-looking emails and social media messages that trick users into providing confidential data, such as payment card number, merchant account number or password. Small merchants should be extra vigilant and be on the look out for common phishing and social engineering hacks. More Information: Beware of COVID-19 Online Scams and Threats

TIP #8: CHOOSE TRUSTED PARTNERS

It’s critical you know who your service providers are and what security questions to ask them. Is your service provider adhering to PCI DSS requirements? For e-commerce merchants (and those of you that recently started accepting e-commerce payments in lieu of face-to-face payments), it is important that your payment service providers are PCI DSS compliant, including the service provider that manages your payment process (your “payment service provider” or PSP). More Information:

Additional Links

Relevant PCI Compliance Member Links

 

Author: Staff Writer

Craig Keefner -- With over 40 years in the industry and technology, Craig is widely considered to be an expert in the field. Major early career kiosk projects include Verizon Bill Pay kiosk and hundreds of others. Craig helped start kioskmarketplace and formed the KMA. Note the point of view here is not necessarily the stance of the Kiosk Association or kma.global