PCI Compliance for Kiosks and EMV Compliance

PCI Compliance Kiosk

Introduction

PCI Kiosk. It means different things to people. Are your kiosks PCI compliant?  EMV compliant? Is your kiosk or self-order application PA-DSS certified?  Odds are against it. For PCI it’s easy to check just by going to the Validated Applications section on the PCI site. EMV introduces Level 1, Level 2 and then Level 3 certifications. Call them Mechanical, Firmware and Application.  There is also a listing of devices (emvco.com).

EMV Kiosk Considerations 2021 Update

  • You definitely don’t want to be using PCI Pin Transaction Security v3 (PCI-PTS v3), you can only deploy those through April of this year. You should be targeting PCI-PTS v4 at a minimum which can be deployed through 2023, or even better PCI-PTS v5 devices. You can continue to use the payment devices after these dates, you just have to be in the field before then. For more information contact UCP Inc.
  • Is EMV required?  No, there are methods of payment such as Net-E-Pay which are supported by the major acquirers which utilizes a QR code for payment.  This form of payment sidesteps EMV. For more information contact Datacapsystems

But I don’t want to do that — Let’s list out some of Why Nots –

  1. it costs money to do. You’ll need a QSA and that could be $75K easy.
  2. it takes time.  Figure a year or a month depending.
  3. It is inconvenient. It’s unnecessary regulation given our environment.  But it can come back to extract a heavy price in the future.
  4. All of my transactions are so small and so many that the liability factor is low for any significant fraud rate.

PCI Kiosk Definitions

  • PCI Level 1 Compliance — The Payment Card Industry Data Security Standard (PCI DSS) defines defines a “Level 1” merchant as one that processes at least 1 million, 2.5 million, or 6 million transactions per year, depending on which credit cards the merchant accepts. It is the highest, and most stringent, of the PCI DSS levels. Visa, Mastercard, and Discover define Level 1 merchants as those processing more than 6 million credit card transactions annually.
  • How to Qualify — To comply with PCI DSS, Level 1 merchants and service providers must attain a yearly Report on Compliance from a Qualified Security Assessor (QSA) or Internal Security Assessor after an onsite audit. Those in levels 2, 3, and 4 may self-assess by filling out the PCI DSS Self-Assessment Questionnaire (SAQ) that the security standards council provides.
  • EMV Compliance – EMV compliance means that a business has upgraded their point-of-sale equipment to feature credit card readers that support EMV technology (chip). If a customer walks into the store and is asked to insert their credit card into the slot on the machine, that store is EMV compliant. If the only option is to swipe the card via the magnetic strip on the back, the store in question probably isn’t EMV compliant.
  • Is the device you are using Approved by PCI Security Standards Council?  Here is PTS search.

Affiliations

PCI SSC Participating Organization logo Participating Organization PCI Security Standards Council – The PCI Security Standards Council is an open global forum that is responsible for the ongoing development, enhancement, dissemination, and implementation of security standards for payment cardholder account data. The PCI Security Standards Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards, which include the Data Security Standard (DSS), Payment Application Data Security Standard (PA-DSS), and PIN-Entry Device (PED) Requirements.

Member Resources

Here are kiosk association companies that have a primary focus on PCI compliance and EMV compliance. For in-depth questions we suggest contacting one of them.

Useful Links

PCI EMV News Updates

PCI EMV Kiosk FAQ & Commentary

    • Q: So what about grandfathering devices like they do for ADA?  Can I delay?  A:  The only extensions that Visa/MC are making for the liability shift are for ATMs (2016) and fuel dispensers (2017) – all other merchants are open to the liability shift in 2015.
    • Q: What about someone like Redbox with thousands of machines with old credit card readers?  A:  Redbox may be looking at the cost of upgrading and comparing that against what they would be liable for after the “shift” – one guess is that the cost to upgrade would far outweigh the fraud on $1 payments.
    • Q: Are the banks going to charge me less for being EMV?  A:  One of the other dirty little secrets is that many banks are charging merchants EMV conversion fees to enable EMV acceptance at terminals. For some of the larger merchants, this alone would be some real money.
    • Q: So what costs am I looking at?  A:   The upgrade cost for these merchants would be – the equipment, field technician, software mods, PCI certification (yes – PCI is still required), bank setup fees, and all the other bits and pieces.

EMV Capable Card Readers, PIN Pads and Contactless Readers for Self-Service Kiosks

Ingenico iUP 250 + iUR 250

Ingenico makes the iSelf Series which includes EMV Chip and PIN devices designed specifically for self-service kiosk applications.  Combining iUP 250 & iUR 250 allows EMV Chip & PIN transactions in your kiosks while respecting PCi 3,x certification.

VeriFone UX 100 + UX 300

VeriFone makes the UX “Unattended Devices” for kiosks and other unattended environments.  PIN pad features LCD graphic screen that securely displays payment amount and engages customers through targeted messaging.

Kiosk EMV chip and contactless readers

IDTech ViVOpay Vend III

The ViVOpay Vend III contactless NFC, contact EMV, and magnetic stripe all-in-one payment device provides self-service kiosk operators with an integrated device that allows all three types of payment acceptance technologies.

MEI CASHFLOW® EasiChoice 4 in 1

PCI Kiosk contactless card readers

Ingenico iUC 180

The Ingenico contactless reader focuses on contactless transaction only, the iiUC 180 is the ideal solution for small transactions, especially in the vending industry.

VeriFone QX 700

The VeriFone QX 700 provides rapid transaction speeds for all card types, including public transportation, stored value and other value-added applications.

IDTech ViVOpay Kiosk II

The ViVOpay Kiosk II is a flexible stand-alone contactless reader comprised of a compact controller module and an RFID antenna module packaged individually giving equipment manufacturers flexibility to integrate contactless payment functionality with their host systems.

Which EMV hardware should I buy for my kiosks so I don’t have to replace it in the next 3 years?

This is a good question that is discussed in the video of the 2014 CPI EMV technology panel below.  The answer boils down to personal preference.  CPI makes the point that just because a card reader is EMV capable doesn’t mean your entire solution will be EMV compliant.  Your entire solution needs to receive end-to-end EMV certification and according to MEI this has not happened in the US using the MEI 4-in-1 at the time this video was recorded.  I’m not here to recommend EMV hardware for your kiosks just to spell out the options, so watch the video for more information and form your own opinions.  We plan to add EMV support to KioskSimple


Our Contributors

PCI Standards

ADA Considerations

  • Many of the new EMV card readers come with an audio jack, an audio codec, and an API to communicate with the host machine (a self-order kiosk with touchscreen for example). The readers do not come with Braille.
  • For true accessibility compliance, audio needs to be available either via the host machine or the terminal so that the sight-impaired and blind can reliably use the POS.  One example would be cash-back scenario where an employee assists and could possibly perform an illegitimate and unauthorized transaction. POS terminal providers will point to the host terminal as that being its responsibility. Its worth noting that there are security considerations when touchscreens are utilized, even in the manufacture of (bezel versus no bezel example given).
  • Tremont ADA Compliance and ATMs

PCI Kiosk Updates

  • Dec 2020 — added definitions and resource files
  • Feb 2014 – NIST Framework for Cybersecurity – considered extension of HITECH and HIPAA requirements it lays out top down executive & enterprise view of cybersecurity. Close to BCP (Business Continuation Plan)

PDF Resource Files

Additional Links

Relevant PCI Compliance Member Links

External PCI Compliance Links