PCI Kiosk Update – EMV POS Credit Card Readers for Kiosk Card Readers

By | April 13, 2021
PCI Compliance Credit Card Reader

PCI Compliance Kiosks Update & EMV – 2021

pci compliance kiosk credit card reader

Click for full size image — Ingenico pci compliance kiosk credit card reader

Editor Updates: 

  • July 2021
    • Just what is a CAT or Cardholder Activated Terminal? See FAQ
    • Sample specs of PAD device used in major RFP — see below
    • Choosing a device for the operational situation is important. A slow CPU for example may work for a liquor store. If you want to display loyalty options then a fast CPU becomes required.
    • Whether a device is rated for self-service is important. CAT or Card Holder Activated Terminals is a PCI qualification.  A device like P400 or even the devices used in Home Depot for example are not rated for that. Unless you have the leverage of a Home Depot to force the processor to allow use of the units (with conditions), you should always select CAT certified.
    • Example is three new devices which are EMV Level 3 rev level and PCI PTS version 6. Other new emerging “now available” include all types of connectivity including 4G and fallback to 3G/2G.  Bluetooth, ethernet, and even Smart Cards now.  Video of the new Self-4000 being received by Alveni.

We’ve fielded several questions regarding PCI Compliance for kiosks so it seems a good time for us to provide some updated info.  Thanks to Rob at UCP , Bruce with Ingenico and Pazit with Otiglobal for helping with the background detail.

To discuss your options and get price quotes contact [email protected]. UCP provides free-of-charge consultations to help identify the best solution or solutions for your physical and digital environment, as well as your self-service use case. Some gateways can do things other gateways can’t for instance, and UCP can help you cut through the weeds and get to the most suitable payments partner quickly.

Kiosk Association positions

  • We support and recommend using modern technology for card readers
  • We are a paying Participating Organization with the PCI SSC
  • You can learn about paying with QR codes at How Do QR Codes Work? post on Retail Automation

Kiosk Card Readers To Pick From

Right now we are just looking at Ingenico readers and OTI Global readers.

  • Are your typical transactions below $25 or above
  • Best to engineer modularity and the ability to use pinpad or not. Outdoor is another consideration
  • Ensure the device is PCI-PTS v4 at minimum (which Ingenicos for kiosks are those?)
    • All v3 Ingenico kiosk hardware has been end of life for over a year. The iSelf which we are still selling is PCI v4 as is the iUC285. These are eligible for installation into net new kiosk deployments until April 30, 2023. The Self lineup is PCI-PTS v5, good for net new installations until April 30, 2026. Note: Historically i is possible to recertify to a later PCI-PTS version without changing the form factor of the unit provided nothing in the later specification required it. Ingenico did this with the iPP and iSC for example. I am not saying they will definitely do that with the Self, but there is a precedent for it if a device is a popular workhorse.
    • v3.2.1 Otiglobal includes the Trio IQ which provides
      • ALL NFC, contact & contactless EMV payments
      • Touchless vending support
      • Reduce development work
      • All in one device (Reader & Controller & SDK)
      • Multimedia capabilities (e.g advertisements, videos)
      • Large touch screen
      • High-end Operating Systems (Linux) with SDK allows users to develop customized features with minimal time, effort and risk
      • Integral support for Vending, Kiosk, Mobile payment, Pulse, Closed-loop payments*
  • Ideally be aware and target v5
  • Devices
    • v4 Pinpad + NFC [iSelf Combo iUC250 and 250LE] Guesstimate MSRP=$500
      • indoor
      • protected outdoor
      • Buzzer
    • v4 Contactless/Swipe [iUC285]  Guesstimate MSRP=$450
      • Any mobile wallet or NFC card
      • Vandal and Outdoor capable (IP54)
      • no pinpad
      • no Audio though it does Beep  (a lot). Ticketing ADA consideration.
    • v4 iSelf Series Guesstimate MSRP=$1500?
      • open frame
      • IP65
    • v4 UX Series  Guesstimate MSRP=$1500
      • Open Frame for seamless integration
      • IP44 and IP65
      • no audio
    • v5.1 Self 2000 – Contactless/Swipe/QR  Guesstimate MSRP=$500?
      • indoor
      • protected outdoor
      • no pinpad
      • Audio
    • v5.1 Self 4000 – Contactless/Swipe/QR/Pinpad Guesstimate MSRP=$750?
      • See QR camera in lower left of featured image.
      • Indoor / Outdoor Capable
        • Detail — both readers have water evacuation drain holes. Of course taking all your normal precautions regarding direct sunlight primarily for daylight readability and thermal load concerns. Follow best practices for facing kiosk North or South, avoid East and West facing installations. Instruct cleaning crews to not power wash kiosk etc. etc.
      • Audio
      • no commissioning required  — this is a big deal. Maintenance and service and downtime can be ruthless.
        • In detail — This is a time and money saver in that it no longer takes two technicians with special issued smart cards to install the hardware in the enclosure any more. This was originally a requirement for PIN entry capable payment terminals that are comprised of individual components (the iUP PIN pad and iUR card reader for example). With attended terminals the reader and PIN pad share a common plastic housing that is equipped with all kinds of tamper sensors. With these components, the kiosk enclosure is their common housing so anti-removal/anti-tamper sensors were installed on these devices so it can tell when it is mounting in a kiosk or not. Additionally the smart cards and commissioning process was a way to do a digital handshake between the PIN pad and its reader mate so they would trust each other with the idea being if one of the components was removed and replaced with a rogue device the other component wouldn’t trust the rogue device. Additionally if a bad actor did remove one of the components with this intention it would trip the anti-removal sensors anyway so they’d be unsuccessful from the very first step. With the Self 2000, 4000, and 5000 the PIN pad and reader share a common housing as they are “all in one” units so no trust handshake needed between PIN pad and reader any longer. Beyond that this part of the PCI-PTS specification was deprecated.
        • More detail — Commissioning is not a manufacturer’s requirement but rather one that PCI determined was the best way to confirm that a terminal had been installed by an authorized party. This is no longer a requirement under PCI v5, so the Self 2000, 4000 or 5000 do not require it. The Self 7000 and 8000, a modular solution to be used together and due to be released later this year may require commissioning, but our goal is to avoid it if possible. Commissioning does not have anything to do with key injection, it’s merely to put the terminal into a “ready” state once installed within the kiosk.
      • What About Verifone devices?
        • There is no Verifone device that would be a true comparison to the new Self 2000, 4000, and 5000 line. They don’t currently have a PCI-designated CAT (cardholder activated terminal, aka unattended terminal) that has PIN on display, or is an all-in-one, or has an integrated QR code reader.
        • Verifone, to our knowledge, does not have competing devices to match the Self family. They simply haven’t invested in unattended terminals, preferring to focus on their Zivelo acquisition and to push customers to use attended terminals on kiosks. While this works, this is not always in the best interest of the customer in our opinion as these terminals aren’t built for self-service use and may face shorter life spans when used in this manner.

Smart Vending Card Reader Solution Videos

The Ingenico 2000, 4000 and 5000 readers are also targeted for Smart Vending. Here is a video on that segment by Ingenico.

Here is a video by Otiglobal on Smart Vending

Some Background on Key Injection

This is an older write-up on Key Injection but still relevant at very least from point of view in 2015. Terms and requirements for this are dated to 2015

Key Injection Service is the secure process  by which payment hardware (credit card terminal/ reader/ pin pad)  gets loaded with the encrypted  Debit and Data keys which in effect “marries” the terminal to the merchant’s processor and bank to make the device functional and secure.  Debit Keys are now called PIN Keys.  This process is mandated by PCI (Payment Card Industry) to mask and protect card holder data during the transaction.  A debit key is needed to scramble the pin data and a data key is needed to scramble card data.  A debit key is mandatory if a customer wants to accept debit cards.   Customers accepting only credit will not need key injection.(1)

Only an ESO (Encryption Service Organization) can perform the key injection service to be PCI compliant.

A debit key encrypts the customer’s debit card personal identification number (PIN) when entered during the tender process at the point of sale. The debit key is loaded into the terminal by an ESO, like our key-injection facility, and allows the transaction terminal to complete a debit transaction by securely authenticating the PIN with the issuing bank.  This key is not used during a “credit” transaction where a signature is used for authentication or to encrypt the actual card data.  This key is always required if you are accepting debit transactions due to PCI standards.(1)
A Point-to-Point Encryption (P2PE) key encrypts the customer’s card information when swiping a credit or debit card at the point of sale.  It is also commonly referred to a data key or end-to-end encryption (E2EE).  This works separately from the debit key.  P2PE keys are recommended but are not required by current PCI standards. P2PE keys lower the risk of unauthorized interception of sensitive card information during the transmission from the payment terminal to the payment processor.  P2PE keys must be injected through an ESO like debit keys.(1)

Ms. McInerny also pointed out that only about half of the equipment is being shipped with encryption, and at the same time, business is growing exponentially.   “Point-to-point encryption is an excellent solution because of its security. P2P is a great workaround and protects the merchants.”

“Resellers should empower the end user now, and not wait for the processors to tell them what to do.”
Now – last key point – devices purchased last year, or early in 2015, may have been shipped without the final encrypted keys in place. 
Retailers should find out NOW if their device needs injection and make plans to either have it done remotely, or to ship their terminal to an authorized center.   Retailers with equipment should contact their own supplier about this.  Retailers who have changed banks or processors may also have to have their equipment re-injected with the new key.

ONGOING “After Original Publish” UPDATES

As soon as start proclaiming v5, along come v6 iterations. These are from Ingenico and are preliminary specs. Worth noting on the audio front, the 7000 is your conventional Beep while the 7500 and 8000 are both polyphonic WAV file capable.
Ingenico card reader

Ingenico card reader 7000

Ingenico Self 8000

Ingenico Self 8000

Ingenico Self 7500

Ingenico Self 7500

 


EMV Level 3 Update

Historically when EMV is discussed it is L1 or L2.  Well, now we have L3  (see new Ingenico v6s above).

What does EMV® Level 3 testing mean?

EMV Level 3 (L3) testing aims to validate the integration of an EMV payment or cash dispensing terminal with any merchant or bank systems to ensure end-to-end transaction acceptance.

L3 testing includes the series of processes required to ensure that a new or upgraded terminal (hardware and/or software) meets the specific requirements and recommendations of the individual payment systems before being deployed in the field.

As background, EMVCo has historically been involved in managing Level 1 and  Level 2 acceptance device testing processes, collectively known as Type Approval.

• Level 1 focuses on the physical hardware capabilities of a payment card or device, ensuring its electro-mechanical components meet the required specifications.

• Level 2 focuses on the software or firmware interactions between the card and terminal, specifically driven on the terminal side by a component called the ‘EMV Kernel’.

For Level 1 and 2 testing, the requirements for compliance are detailed in the EMV Chip Specifications. More information about the Type Approval process can be found here.

Level 1 and Level 2 testing is typically performed in ‘component’ mode – meaning that each area is tested independently of the other, and typically only within a laboratory environment. In contrast, L3 requires that the terminal be complete with its
EMVCo-approved hardware, software kernel, and payment application in place, and must be connected to a test environment or host simulator which mimics authorisation responses from payment systems.

2021 May EMVCo-Level-3-QA_FINAL_14-August-2017

2021 Alternative Payment Methods

Video of New Self-4000 — Thanks to Jorge at Alveni Kiosks!

Resource Files

Example Specifications (your use case may be different)

Ingenico Unattended Card Reader Matrix

Here is excel sheet of current (July 2021) Ingenico Card Readers for Unattended. These units are all certified for unattended Cardholder Activated Terminals (CAT specification for PCI DSS)

Ingenico Self Serivce Product Line Comparison 2021 – JM

Excel Matrix Comparison of Credit Card Readers for Unattended

You can request a free copy of our Credit Card Reader matrix detailing various characteristics and features. Use the form.

Credit-Card-Reader-Comparison-blurred

What About COTS or Contactless Payment?

The PCI Contactless Payments on COTS (CPoC) Standard provides security requirements for solutions that enable contactless, or “tap and go”, transactions on merchant COTS devices.

The CPoC Standard includes: Specific criteria for solution providers on how to protect payment data within their solutions; Test requirements for PCI-recognized Laboratories to assess solutions for validation and listing on the PCI SSC website through the supporting CPoC Program. The CPoC Standard is being developed with input from payment card industry stakeholders via the RFC process. This includes a dedicated RFC with the Mobile Task Force that took place in April 2019 and an RFC with Participating Organizations, Qualified Security Assessors and PCI-recognized Laboratories, scheduled to open on 22 July

Request Information Form

Kiosk Card Reader Related Posts