PCI Compliance Kiosks Update & EMV – 2021
- July 2021
- Just what is a CAT or Cardholder Activated Terminal? See FAQ
- Sample specs of PAD device used in major RFP — see below
- Choosing a device for the operational situation is important. A slow CPU for example may work for a liquor store. If you want to display loyalty options then a fast CPU becomes required.
- Whether a device is rated for self-service is important. CAT or Card Holder Activated Terminals is a PCI qualification. A device like P400 or even the devices used in Home Depot for example are not rated for that. Unless you have the leverage of a Home Depot to force the processor to allow use of the units (with conditions), you should always select CAT certified.
- Example is three new devices which are EMV Level 3 rev level and PCI PTS version 6. Other new emerging “now available” include all types of connectivity including 4G and fallback to 3G/2G. Bluetooth, ethernet, and even Smart Cards now. Video of the new Self-4000 being received by Alveni.
We’ve fielded several questions regarding PCI Compliance for kiosks so it seems a good time for us to provide some updated info. Thanks to Rob at UCP , Bruce with Ingenico and Pazit with Otiglobal for helping with the background detail.
To discuss your options and get price quotes contact [email protected]. UCP provides free-of-charge consultations to help identify the best solution or solutions for your physical and digital environment, as well as your self-service use case. Some gateways can do things other gateways can’t for instance, and UCP can help you cut through the weeds and get to the most suitable payments partner quickly.
Kiosk Association positions
- We support and recommend using modern technology for card readers
- We are a paying Participating Organization with the PCI SSC
- You can learn about paying with QR codes at How Do QR Codes Work? post on Retail Automation
Kiosk Card Readers To Pick From
Right now we are just looking at Ingenico readers and OTI Global readers.
- Are your typical transactions below $25 or above
- Best to engineer modularity and the ability to use pinpad or not. Outdoor is another consideration
- Ensure the device is PCI-PTS v4 at minimum (which Ingenicos for kiosks are those?)
- All v3 Ingenico kiosk hardware has been end of life for over a year. The iSelf which we are still selling is PCI v4 as is the iUC285. These are eligible for installation into net new kiosk deployments until April 30, 2023. The Self lineup is PCI-PTS v5, good for net new installations until April 30, 2026. Note: Historically i is possible to recertify to a later PCI-PTS version without changing the form factor of the unit provided nothing in the later specification required it. Ingenico did this with the iPP and iSC for example. I am not saying they will definitely do that with the Self, but there is a precedent for it if a device is a popular workhorse.
- v3.2.1 Otiglobal includes the Trio IQ which provides
- Ideally be aware and target v5
- v4 Pinpad + NFC [iSelf Combo iUC250 and 250LE] Guesstimate MSRP=$500
- protected outdoor
- v4 Contactless/Swipe [iUC285] Guesstimate MSRP=$450
- Any mobile wallet or NFC card
- Vandal and Outdoor capable (IP54)
- no pinpad
- no Audio though it does Beep (a lot). Ticketing ADA consideration.
- v4 iSelf Series Guesstimate MSRP=$1500?
- open frame
- v4 UX Series Guesstimate MSRP=$1500
- Open Frame for seamless integration
- IP44 and IP65
- no audio
- v5.1 Self 2000 – Contactless/Swipe/QR Guesstimate MSRP=$500?
- protected outdoor
- no pinpad
- v5.1 Self 4000 – Contactless/Swipe/QR/Pinpad Guesstimate MSRP=$750?
- See QR camera in lower left of featured image.
- Indoor / Outdoor Capable
- Detail — both readers have water evacuation drain holes. Of course taking all your normal precautions regarding direct sunlight primarily for daylight readability and thermal load concerns. Follow best practices for facing kiosk North or South, avoid East and West facing installations. Instruct cleaning crews to not power wash kiosk etc. etc.
- no commissioning required — this is a big deal. Maintenance and service and downtime can be ruthless.
- In detail — This is a time and money saver in that it no longer takes two technicians with special issued smart cards to install the hardware in the enclosure any more. This was originally a requirement for PIN entry capable payment terminals that are comprised of individual components (the iUP PIN pad and iUR card reader for example). With attended terminals the reader and PIN pad share a common plastic housing that is equipped with all kinds of tamper sensors. With these components, the kiosk enclosure is their common housing so anti-removal/anti-tamper sensors were installed on these devices so it can tell when it is mounting in a kiosk or not. Additionally the smart cards and commissioning process was a way to do a digital handshake between the PIN pad and its reader mate so they would trust each other with the idea being if one of the components was removed and replaced with a rogue device the other component wouldn’t trust the rogue device. Additionally if a bad actor did remove one of the components with this intention it would trip the anti-removal sensors anyway so they’d be unsuccessful from the very first step. With the Self 2000, 4000, and 5000 the PIN pad and reader share a common housing as they are “all in one” units so no trust handshake needed between PIN pad and reader any longer. Beyond that this part of the PCI-PTS specification was deprecated.
- More detail — Commissioning is not a manufacturer’s requirement but rather one that PCI determined was the best way to confirm that a terminal had been installed by an authorized party. This is no longer a requirement under PCI v5, so the Self 2000, 4000 or 5000 do not require it. The Self 7000 and 8000, a modular solution to be used together and due to be released later this year may require commissioning, but our goal is to avoid it if possible. Commissioning does not have anything to do with key injection, it’s merely to put the terminal into a “ready” state once installed within the kiosk.
- What About Verifone devices?
- There is no Verifone device that would be a true comparison to the new Self 2000, 4000, and 5000 line. They don’t currently have a PCI-designated CAT (cardholder activated terminal, aka unattended terminal) that has PIN on display, or is an all-in-one, or has an integrated QR code reader.
- Verifone, to our knowledge, does not have competing devices to match the Self family. They simply haven’t invested in unattended terminals, preferring to focus on their Zivelo acquisition and to push customers to use attended terminals on kiosks. While this works, this is not always in the best interest of the customer in our opinion as these terminals aren’t built for self-service use and may face shorter life spans when used in this manner.
- v4 Pinpad + NFC [iSelf Combo iUC250 and 250LE] Guesstimate MSRP=$500
Smart Vending Card Reader Solution Videos
The Ingenico 2000, 4000 and 5000 readers are also targeted for Smart Vending. Here is a video on that segment by Ingenico.
Here is a video by Otiglobal on Smart Vending
Some Background on Key Injection
This is an older write-up on Key Injection but still relevant at very least from point of view in 2015. Terms and requirements for this are dated to 2015
Key Injection Service is the secure process by which payment hardware (credit card terminal/ reader/ pin pad) gets loaded with the encrypted Debit and Data keys which in effect “marries” the terminal to the merchant’s processor and bank to make the device functional and secure. Debit Keys are now called PIN Keys. This process is mandated by PCI (Payment Card Industry) to mask and protect card holder data during the transaction. A debit key is needed to scramble the pin data and a data key is needed to scramble card data. A debit key is mandatory if a customer wants to accept debit cards. Customers accepting only credit will not need key injection.(1)
Only an ESO (Encryption Service Organization) can perform the key injection service to be PCI compliant.
Ms. McInerny also pointed out that only about half of the equipment is being shipped with encryption, and at the same time, business is growing exponentially. “Point-to-point encryption is an excellent solution because of its security. P2P is a great workaround and protects the merchants.”
ONGOING “After Original Publish” UPDATES
- Ingenico Technical datasheet – Self7000 – APRIL 2021 (1)
- Ingenico Technical datasheet – Self7500 – APRIL 2021
- Ingenico Technical datasheet – Self8000 – APRIL 2021
EMV Level 3 Update
Historically when EMV is discussed it is L1 or L2. Well, now we have L3 (see new Ingenico v6s above).
What does EMV® Level 3 testing mean?
EMV Level 3 (L3) testing aims to validate the integration of an EMV payment or cash dispensing terminal with any merchant or bank systems to ensure end-to-end transaction acceptance.
L3 testing includes the series of processes required to ensure that a new or upgraded terminal (hardware and/or software) meets the specific requirements and recommendations of the individual payment systems before being deployed in the field.
As background, EMVCo has historically been involved in managing Level 1 and Level 2 acceptance device testing processes, collectively known as Type Approval.
• Level 1 focuses on the physical hardware capabilities of a payment card or device, ensuring its electro-mechanical components meet the required specifications.
• Level 2 focuses on the software or firmware interactions between the card and terminal, specifically driven on the terminal side by a component called the ‘EMV Kernel’.
For Level 1 and 2 testing, the requirements for compliance are detailed in the EMV Chip Specifications. More information about the Type Approval process can be found here.
Level 1 and Level 2 testing is typically performed in ‘component’ mode – meaning that each area is tested independently of the other, and typically only within a laboratory environment. In contrast, L3 requires that the terminal be complete with its
EMVCo-approved hardware, software kernel, and payment application in place, and must be connected to a test environment or host simulator which mimics authorisation responses from payment systems.
2021 Alternative Payment Methods
Video of New Self-4000 — Thanks to Jorge at Alveni Kiosks!
Example Specifications (your use case may be different)
- Excel file — Example_PAD_Specifications
Ingenico Unattended Card Reader Matrix
Here is excel sheet of current (July 2021) Ingenico Card Readers for Unattended. These units are all certified for unattended Cardholder Activated Terminals (CAT specification for PCI DSS)
Excel Matrix Comparison of Credit Card Readers for Unattended
You can request a free copy of our Credit Card Reader matrix detailing various characteristics and features. Use the form.
What About COTS or Contactless Payment?
The PCI Contactless Payments on COTS (CPoC) Standard provides security requirements for solutions that enable contactless, or “tap and go”, transactions on merchant COTS devices.
The CPoC Standard includes: Specific criteria for solution providers on how to protect payment data within their solutions; Test requirements for PCI-recognized Laboratories to assess solutions for validation and listing on the PCI SSC website through the supporting CPoC Program. The CPoC Standard is being developed with input from payment card industry stakeholders via the RFC process. This includes a dedicated RFC with the Mobile Task Force that took place in April 2019 and an RFC with Participating Organizations, Qualified Security Assessors and PCI-recognized Laboratories, scheduled to open on 22 July
Request Information Form
Kiosk Card Reader Related Posts
- Four Reasons Android is Gaining Traction (Ingenico blog)