PCI EMV Kiosk

PCI EMV Kiosk

 

Introduction

Are your kiosks PCI EMV-compliant?  Is your application PA-DSS certified?  Odds are against it. For PCI it’s easy to check just by going to the Validated Applications section on the PCI site. EMV introduces Level 1, Level 2 and then Level 3 certifications. Call them Mechanical, Firmware and Application.  There is also a listing of devices (emvco.com).

But I don’t want to do that — Let’s list out some of Why Nots — #1 it costs money to do. You’ll need a QSA and that could be $75K easy.  Someone like Coalfire/etc.  #2 it takes time.  Figure a year or a month depending. #3 It is inconvenient. It’s unnecessary regulation given our environment.  But it can come back to extract a heavy price in the future.

Affiliations

PCI SSC Participating Organization logo Participating Organization PCI Security Standards Council – The PCI Security Standards Council is an open global forum that is responsible for the ongoing development, enhancement, dissemination, and implementation of security standards for payment cardholder account data. The PCI Security Standards Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards, which include the Data Security Standard (DSS), Payment Application Data Security Standard (PA-DSS), and PIN-Entry Device (PED) Requirements.

 

Useful Links

PCI EMV News Updates

PCI EMV Kiosk FAQ & Commentary

    • Q: So what about grandfathering devices like they do for ADA?  Can I delay?  A:  The only extensions that Visa/MC are making for the liability shift are for ATMs (2016) and fuel dispensers (2017) – all other merchants are open to the liability shift in 2015.
    • Q: What about someone like Redbox with thousands of machines with old credit card readers?  A:  Redbox may be looking at the cost of upgrading and comparing that against what they would be liable for after the “shift” – one guess is that the cost to upgrade would far outweigh the fraud on $1 payments.
    • Q: Are the banks going to charge me less for being EMV?  A:  One of the other dirty little secrets is that many banks are charging merchants EMV conversion fees to enable EMV acceptance at terminals. For some of the larger merchants, this alone would be some real money.
    • Q: So what costs am I looking at?  A:   The upgrade cost for these merchants would be – the equipment, field technician, software mods, PCI certification (yes – PCI is still required), bank setup fees, and all the other bits and pieces.

 

EMV Capable Card Readers, PIN Pads and Contactless Readers for Self-Service Kiosks

Ingenico iUP 250 + iUR 250

Ingenico makes the iSelf Series which includes EMV Chip and PIN devices designed specifically for self-service kiosk applications.  Combining iUP 250 & iUR 250 allows EMV Chip & PIN transactions in your kiosks while respecting PCi 3,x certification.

VeriFone UX 100 + UX 300

VeriFone makes the UX “Unattended Devices” for kiosks and other unattended environments.  PIN pad features LCD graphic screen that securely displays payment amount and engages customers through targeted messaging.

Kiosk EMV chip and contactless readers

IDTech ViVOpay Vend III

The ViVOpay Vend III contactless NFC, contact EMV, and magnetic stripe all-in-one payment device provides self-service kiosk operators with an integrated device that allows all three types of payment acceptance technologies.

MEI CASHFLOW® EasiChoice 4 in 1

Kiosk EMV contactless NFC card readers

Ingenico iUC 180

The Ingenico contactless reader focuses on contactless transaction only, the iiUC 180 is the ideal solution for small transactions, especially in the vending industry.

VeriFone QX 700

The VeriFone QX 700 provides rapid transaction speeds for all card types, including public transportation, stored value and other value-added applications.

IDTech ViVOpay Kiosk II

The ViVOpay Kiosk II is a flexible stand-alone contactless reader comprised of a compact controller module and an RFID antenna module packaged individually giving equipment manufacturers flexibility to integrate contactless payment functionality with their host systems.

Which EMV hardware should I buy for my kiosks so I don’t have to replace it in the next 3 years?

This is a good question that is discussed in the video of the 2014 CPI EMV technology panel below.  The answer boils down to personal preference.  CPI makes the point that just because a card reader is EMV capable doesn’t mean your entire solution will be EMV compliant.  Your entire solution needs to receive end-to-end EMV certification and according to MEI this has not happened in the US using the MEI 4-in-1 at the time this video was recorded.  I’m not here to recommend EMV hardware for your kiosks just to spell out the options, so watch the video for more information and form your own opinions.  We plan to add EMV support to KioskSimple


Thank You to our Contributors!
ADA Standards, HIPAA Standards, PCI Standards and more
 

Updates

  • Feb 2014 – NIST Framework for Cybersecurity – considered extension of HITECH and HIPAA requirements it lays out top down executive & enterprise view of cybersecurity. Close to BCP (Business Continuation Plan)