PCI Kiosk Update – POS Credit Card Readers for Kiosks

By | April 13, 2021
PCI Compliance Credit Card Reader

PCI Compliance Kiosks Update – 2021

pci compliance kiosk credit card reader

Click for full size image — Ingenico pci compliance kiosk credit card reader

We’ve fielded several questions regarding PCI Compliance for kiosks so it seems a good time for us to provide some updated info.  Thanks to Rob at UCP , Bruce with Ingenico and Pazit with Otiglobal for helping with the background detail.

To discuss your options and get price quotes contact [email protected]. UCP provides free-of-charge consultations to help identify the best solution or solutions for your physical and digital environment, as well as your self-service use case. Some gateways can do things other gateways can’t for instance, and UCP can help you cut through the weeds and get to the most suitable payments partner quickly.

Kiosk Association positions

  • We support and recommend using modern technology for card readers
  • We are a paying Participating Organization with the PCI SSC
  • You can learn about paying with QR codes at How Do QR Codes Work? post on Retail Automation

Credit Card Readers To Pick From

Right now we are just looking at Ingenico readers and OTI Global readers.

  • Are your typical transactions below $25 or above
  • Best to engineer modularity and the ability to use pinpad or not. Outdoor is another consideration
  • Ensure the device is PCI-PTS v4 at minimum (which Ingenicos for kiosks are those?)
    • All v3 Ingenico kiosk hardware has been end of life for over a year. The iSelf which we are still selling is PCI v4 as is the iUC285. These are eligible for installation into net new kiosk deployments until April 30, 2023. The Self lineup is PCI-PTS v5, good for net new installations until April 30, 2026. Note: Historically i is possible to recertify to a later PCI-PTS version without changing the form factor of the unit provided nothing in the later specification required it. Ingenico did this with the iPP and iSC for example. I am not saying they will definitely do that with the Self, but there is a precedent for it if a device is a popular workhorse.
    • v3.2.1 Otiglobal includes the Trio IQ which provides
      • ALL NFC, contact & contactless EMV payments
      • Touchless vending support
      • Reduce development work
      • All in one device (Reader & Controller & SDK)
      • Multimedia capabilities (e.g advertisements, videos)
      • Large touch screen
      • High-end Operating Systems (Linux) with SDK allows users to develop customized features with minimal time, effort and risk
      • Integral support for Vending, Kiosk, Mobile payment, Pulse, Closed-loop payments*
  • Ideally be aware and target v5
  • Devices
    • v4 Pinpad + NFC [iSelf Combo iUC250 and 250LE] Guesstimate MSRP=$500
      • indoor
      • protected outdoor
      • Buzzer
    • v4 Contactless/Swipe [iUC285]  Guesstimate MSRP=$450
      • Any mobile wallet or NFC card
      • Vandal and Outdoor capable (IP54)
      • no pinpad
      • no Audio though it does Beep  (a lot). Ticketing ADA consideration.
    • v4 iSelf Series Guesstimate MSRP=$1500?
      • open frame
      • IP65
    • v4 UX Series  Guesstimate MSRP=$1500
      • Open Frame for seamless integration
      • IP44 and IP65
      • no audio
    • v5.1 Self 2000 – Contactless/Swipe/QR  Guesstimate MSRP=$500?
      • indoor
      • protected outdoor
      • no pinpad
      • Audio
    • v5.1 Self 4000 – Contactless/Swipe/QR/Pinpad Guesstimate MSRP=$750?
      • See QR camera in lower left of featured image.
      • Indoor / Outdoor Capable
        • Detail — both readers have water evacuation drain holes. Of course taking all your normal precautions regarding direct sunlight primarily for daylight readability and thermal load concerns. Follow best practices for facing kiosk North or South, avoid East and West facing installations. Instruct cleaning crews to not power wash kiosk etc. etc.
      • Audio
      • no commissioning required  — this is a big deal. Maintenance and service and downtime can be ruthless.
        • In detail — This is a time and money saver in that it no longer takes two technicians with special issued smart cards to install the hardware in the enclosure any more. This was originally a requirement for PIN entry capable payment terminals that are comprised of individual components (the iUP PIN pad and iUR card reader for example). With attended terminals the reader and PIN pad share a common plastic housing that is equipped with all kinds of tamper sensors. With these components, the kiosk enclosure is their common housing so anti-removal/anti-tamper sensors were installed on these devices so it can tell when it is mounting in a kiosk or not. Additionally the smart cards and commissioning process was a way to do a digital handshake between the PIN pad and its reader mate so they would trust each other with the idea being if one of the components was removed and replaced with a rogue device the other component wouldn’t trust the rogue device. Additionally if a bad actor did remove one of the components with this intention it would trip the anti-removal sensors anyway so they’d be unsuccessful from the very first step. With the Self 2000, 4000, and 5000 the PIN pad and reader share a common housing as they are “all in one” units so no trust handshake needed between PIN pad and reader any longer. Beyond that this part of the PCI-PTS specification was deprecated.
        • More detail — Commissioning is not a manufacturer’s requirement but rather one that PCI determined was the best way to confirm that a terminal had been installed by an authorized party. This is no longer a requirement under PCI v5, so the Self 2000, 4000 or 5000 do not require it. The Self 7000 and 8000, a modular solution to be used together and due to be released later this year may require commissioning, but our goal is to avoid it if possible. Commissioning does not have anything to do with key injection, it’s merely to put the terminal into a “ready” state once installed within the kiosk.
      • What About Verifone devices?
        • There is no Verifone device that would be a true comparison to the new Self 2000, 4000, and 5000 line. They don’t currently have a PCI-designated CAT (cardholder activated terminal, aka unattended terminal) that has PIN on display, or is an all-in-one, or has an integrated QR code reader.
        • Verifone, to our knowledge, does not have competing devices to match the Self family. They simply haven’t invested in unattended terminals, preferring to focus on their Zivelo acquisition and to push customers to use attended terminals on kiosks. While this works, this is not always in the best interest of the customer in our opinion as these terminals aren’t built for self-service use and may face shorter life spans when used in this manner.

Smart Vending Card Reader Solution Videos

The Ingenico 2000, 4000 and 5000 readers are also targeted for Smart Vending. Here is a video on that segment by Ingenico.

Here is a video by Otiglobal on Smart Vending

Some Background on Key Injection

This is an older write-up on Key Injection but still relevant at very least from point of view in 2015. Terms and requirements for this are dated to 2015

Key Injection Service is the secure process  by which payment hardware (credit card terminal/ reader/ pin pad)  gets loaded with the encrypted  Debit and Data keys which in effect “marries” the terminal to the merchant’s processor and bank to make the device functional and secure.  Debit Keys are now called PIN Keys.  This process is mandated by PCI (Payment Card Industry) to mask and protect card holder data during the transaction.  A debit key is needed to scramble the pin data and a data key is needed to scramble card data.  A debit key is mandatory if a customer wants to accept debit cards.   Customers accepting only credit will not need key injection.(1)

Only an ESO (Encryption Service Organization) can perform the key injection service to be PCI compliant.

A debit key encrypts the customer’s debit card personal identification number (PIN) when entered during the tender process at the point of sale. The debit key is loaded into the terminal by an ESO, like our key-injection facility, and allows the transaction terminal to complete a debit transaction by securely authenticating the PIN with the issuing bank.  This key is not used during a “credit” transaction where a signature is used for authentication or to encrypt the actual card data.  This key is always required if you are accepting debit transactions due to PCI standards.(1)
A Point-to-Point Encryption (P2PE) key encrypts the customer’s card information when swiping a credit or debit card at the point of sale.  It is also commonly referred to a data key or end-to-end encryption (E2EE).  This works separately from the debit key.  P2PE keys are recommended but are not required by current PCI standards. P2PE keys lower the risk of unauthorized interception of sensitive card information during the transmission from the payment terminal to the payment processor.  P2PE keys must be injected through an ESO like debit keys.(1)

Ms. McInerny also pointed out that only about half of the equipment is being shipped with encryption, and at the same time, business is growing exponentially.   “Point-to-point encryption is an excellent solution because of its security. P2P is a great workaround and protects the merchants.”

“Resellers should empower the end user now, and not wait for the processors to tell them what to do.”
Now – last key point – devices purchased last year, or early in 2015, may have been shipped without the final encrypted keys in place. 
Retailers should find out NOW if their device needs injection and make plans to either have it done remotely, or to ship their terminal to an authorized center.   Retailers with equipment should contact their own supplier about this.  Retailers who have changed banks or processors may also have to have their equipment re-injected with the new key.