The deadline for merchants to bring payment devices into compliance with EMV standards passed more than three years ago, but there are still non-compliant devices in the marketplace.
A year ago, KioskIndustry.org published a piece looking at the state of adoption of Europay, Mastercard and Visa (EMV) requirements among kiosk deployers in 2018. The bottom-line findings were that while kiosk manufacturers were stressing the need for EMV-compliant solutions for new projects, many deployers planned to keep current non-compliant solutions in the field until the end of their lifespan.
Now that a year has passed since that analysis, has anything changed? Where do things stand now?
EMV Compliance continues to expand
To recap, EMV is defined as “a payment method based upon a technical standard for smart payment cards and for payment terminals and automated teller machines that can accept them.” EMV “smart cards” store their data on integrated circuits in addition to the traditional magnetic stripes. According to financial services firm FirstData, EMV chip cards transmit a variable algorithm that changes with each transaction, making the data more secure than what’s found on magnetic stripe cards.
Under EMV standards, merchants had until Oct. 1, 2015, to make their payment processing equipment EMV-complaint. If a fraudulent transaction occurred at a merchant who had not upgraded their equipment, the merchant would eat the cost of that transaction along with any fines or fees that might be assessed.
And while EMV standards were relatively clear for in-person transactions, such as those at an attended checkout register at a grocery store, they were a bit murkier when it came to transactions at an unattended device, such as a self-service kiosk.
Although payment card issuer Visa doesn’t break out kiosk-specific statistics, it does track overall EMV adoption. By most measures, the process seems to be rolling along.
As of December 2018, more than 3.1 million merchants now accept chip cards, according to Visa statistics, compared with just 392,000 merchants as of September 2015. There are now 511 million chip cards in circulation compared with 159 million three years ago. Ninety-eight percent of payments accomplished at the end of 2018 were done using chip cards.
In addition, counterfeit fraud dollars dropped 48 percent over the 39-month period, according to Visa statistics, while that figure was closer to 80 percent for merchants who have completed the upgrade.
Still, that doesn’t mean credit-card fraud is going to disappear. According to research by intelligence firm Gemini Advisory, as of November 2018 chip-enabled cards represent 93 percent of the more than 60 million payment cards stolen in the past 12 months, thanks to the lack of U.S. merchant compliance with the EMV implementation.
Other Gemini findings include:
45.8 million or 75 percent are Card-Present (CP) records and were stolen at the point-of-sale devices, while only 25% were compromised in online breaches.
90% of the CP compromised U.S. payment cards were EMV enabled.
The United States leads the rest of the world in the total amount of compromised EMV payment cards by a massive 37.3 million records.
Financially motivated threat groups are still exploiting the lack of merchant EMV compliance.
In addition, a new type of card fraud is gaining in popularity. Unlike the skimmers fraudsters attached to gas pumps and other devices to capture credit card information (one of the types of fraud EMV was designed to eliminate) a “shimmer,” according to Krebs on Security, fits in the card slot between the chip on the card and the chip reader — recording the data on the chip as it is read by the underlying machine. The fact that the device fits in the slot itself instead of fitting over the card reader, it’s difficult to spot.
“Data collected by shimmers cannot be used to fabricate a chip-based card, but it could be used to clone a magnetic stripe card. Although the data that is typically stored on a card’s magnetic stripe is replicated inside the chip on chip-enabled cards, the chip contains additional security components not found on a magnetic stripe.
“One of those is a component known as an integrated circuit card verification value or “iCVV” for short — also known as a “dynamic CVV.” The iCVV differs from the card verification value (CVV) stored on the physical magnetic stripe, and protects against the copying of magnetic-stripe data from the chip and using that data to create counterfeit magnetic stripe cards.”
The weakness a shimmer exploits lies with the card issuer as opposed to the payment device.
“The only way for this attack to be successful is if a [bank card] issuer neglects to check the CVV when authorizing a transaction,” ATM giant NCR Corp. wrote in a 2016 alert to customers. “All issuers MUST make these basic checks to prevent this category of fraud. Card Shimming is not a vulnerability with a chip card, nor with an ATM, and therefore it is not necessary to add protection mechanisms against this form of attack to the ATM.”
(If I needed any persuasion that payment card fraud was still a problem, I recently received a call from my bank alerting me that my debit card had been compromised. Someone had used what was obviously a cloned card to withdraw $300 at an ATM 30 miles away from where I live. The bank blocked the card when the fraudster attempted to make a withdrawal at another ATM. A few days later, my son’s debit card was compromised as well. In both cases, the money was refunded to our accounts and the dispute was closed in less than a week. When I posted a comment to the neighborhood Nextdoor social media site about the incident, dozens of people in my area said they had also been victims of payment card fraud. The speculation was that the issue occurred at a nearby convenience store, although nothing was proven.)
The current state of EMV affairs
By all appearances, EMV adoption among kiosk deployers essentially stands where it did a year ago. Deployers seem to be carrying on with existing equipment until the end of its lifespan, with any new deployments.
Part of the reason is likely, as mentioned in last year’s analysis, that the relatively low transaction averaged for many kiosks translates to less overall chargeback risk, which in turn means less incentive to upgrade. Given that risk, it doesn’t make much sense to invest in an upgrade it of the deployer plans to swap it out in a year or two.
“For kiosks we have seen very little in the way of EMV retrofits of fielded kiosks running in mag stripe even though there are surface mount devices well suited to field retrofits available,” said Rob Chilcoat, president, North American Operations with UCP Inc., a provider of EMV-compliant chip-and-pin hardware and payment gateway solutions for attended and unattended card payment terminals in North America.
In addition, some of the concerns about whether a kiosk would be considered attended, “semi-attended” or unattended under EMV requirements may have been overblown.
The Path to EMV
What are some other risks in deploying non-EMV kiosks? Comments from the experts:
There are current deployers with standard ecommerce websites using a third-party shopping cart on their kiosks that have no clue about EMV. Kiosk software like KioWare can intercept the shopping cart MSR checkout and perform the EMV transaction; however, they still need the third-party shopping cart to know the transaction has succeeded; ie, we need an API to call. This API is often lacking as most don’t care about kiosks and EMV integration, although it is slowly changing. This is definitely affecting existing kiosks going EMV, but it is also affecting new kiosk projects that had hoped to use their existing third-party shopping cart.
If a card data breach is tracked back to a kiosk, the merchant associated with that kiosk would be in hot water. This is why data in the clear between a card reader and a web hosted payment page (the old way of doing things) is such a PCI no-no.
Ultimately PCI compliance comes down to the merchant themselves, ISVs want to enable the merchants to use a PCI-DSS pre-certified solution, but that doesn’t completely relieve the merchant themselves from final PCI compliance. Implementing EMV pretty much removes mag stripe data from the environment except in cases where a card has no chip, or the chip is damaged. In the case of a card not having a chip, the issuer of the card would be the least compliant (culpable) party if the merchant is EMV capable. In the event of a damaged chip, this is why it is also important to implement end-to-end encryption, to render malware sniffing attacks unfruitful.
“’Semi-attended’ doesn’t exist as far as the PCI Security Council and EMVCo are concerned; a device is either a Cardholder Activated Terminal (CAT) or it isn’t in their eyes,” Chilcoat said.
“This ‘semi-attended’ term was coined by processors to justify using less costly attended devices at self-checkout and other indoor self-service scenarios where the kiosks are being tended to by an employee of the store,” he said. “This PCI gray area still exists and we do see people ordering attended devices from us for this purpose. We advise against it, but we can’t stop them from doing what they want with a terminal. It really comes down to what the merchant’s processor will allow.”
Still, deployers shouldn’t be lulled into a false sense of security by thinking a low transaction amount means they’re insulated from major losses. Yes, if a fraudulent card is used on a small transaction at the kiosk, it can just be considered a cost of doing business. On the other hand, if someone is able to collect cardholder data at the kiosk and then sell it on the dark web causing massive fraudulent transactions elsewhere, and that gets tracked back to a non-EMV compliant kiosk, it won’t be trivial to a kiosk deployer.
But for new projects, EMV is definitely the norm.
“In terms of kiosks, the biggest thing that’s changed is the move from EMV being an optional form of payment to a requirement for our customers,” said Bruce Rasmussen, director of sales with payment technology provider Ingenico Group.
“Currently we do not have any customers in the pre-deployment stage that are not already planning to support EMV now or in the next phase of their project,” Rasmussen said. “Additionally, merchants are continuing to redefine their customer interface to capture a new segment of the market, and payments continues to play a large role in this transformation.”
In particular, he said, there is a growing emphasis on supporting mobile wallets in payment solutions, which in turn drives demand for EMV contactless. With the majority of legacy cashless options only supporting magstripe transactions, merchants are putting updating their payment solutions to accept contactless at the top of their requirements.
“We see growth in contactless card payments and payments via smart phones driving growth in NFC adoption at the kiosk,” Rasmussen said. “The mandate from the card brands to support EMV contactless payments as of October 2019 is driving adoption for EMV since managing a contact and contactless certification may be the most economical and efficient use of resources to achieve a certification.”
Ultimately, although the process continues to be a gradual one, it’s only a matter of time before the vast majority of self-service kiosks in the marketplace are EMV-compliant.
“In terms of new kiosks, we have not shipped anything mag stripe only for a long time,” Chilcoat said. “I think overall EMV migration has hit a tipping point where chip card payments is the expected user experience and kiosk companies are seeing that and including it in their RFP requirements.”
ROSH PINNA, Israel – October 30th, 2018 — On Track Innovations Ltd. (OTI) (NASDAQ: OTIV), a global provider of near field communication (NFC) and cashless payment solutions, has received a renewed Interbank Network Interac certification, which now allows Canadian businesses to integrate OTI’s secure cashless payment solutions into vending machines, kiosks and other unattended devices throughout Canada.
Interac Corp. operates an economical, world-class debit payments system with broad-based acceptance, reliability, security, and efficiency. The organization is one of Canada’s leading payments brands and is chosen an average of 16 million times daily to pay and exchange money.
“We are pleased to announce that we have received the Interac certification, reaffirming our commitment to remain at the forefront of innovation within the exciting Canadian unattended payment market,” said Shlomi Cohen, CEO of OTI. “Canada has over 59,000 automated teller machines and over 450,000 merchant locations accessible through the Interac network, making this certification essential to doing business in Canada. I look forward to addressing this significant market opportunity by leveraging our continued technological advantage and aggressive new sales efforts nationwide,” concluded Cohen.
On Track Innovations (OTI) is a global leader in the design, manufacture, and sale of secure cashless payment solutions using contactless NFC technology. OTI’s field-proven innovations have been deployed around the world to address cashless payment and management requirements for the Internet of Payment Things (IoPT), wearables, automated retail, and petroleum markets. OTI distributes and supports its solutions through a global network of regional offices and alliances. OTI is the proud recipient of the 2017 AI Award for Best Cashless Payment Solutions Provider – Israel. For more information, visit www.otiglobal.com.
Safe Harbor / Forward-Looking Statements
This press release contains forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995 and other Federal securities laws. Whenever we use words such as “believe,” “expect,” “anticipate,” “intend,” “plan,” “estimate” or similar expressions, we are making forward-looking statements. For example, we are using forward-looking statements when we discuss our expectations regarding our growth or profitability, reduction of costs and expenses, expected divestitures, plans for our existing and new products and services, penetration of new markets and securing new customers, contributions of our regions to our growth, resolution of our outstanding patent infringement claims, strengthening of our balance sheet and deliver long-term shareholder value. Because such statements deal with future events and are based on OTI’s current expectations, they are subject to various risks and uncertainties and actual results, performance or achievements of OTI could differ materially from those described in or implied by the statements in this press release. Forward-looking statements could be impacted by the effects of the protracted evaluation and validation periods in the U.S. and other markets for contactless payment cards, or new and existing products and our ability to execute production on orders, as well as other risks and uncertainties, including those discussed in the “Risk Factors” section and elsewhere in our Annual Report on Form 10-K for the year ended December 31, 2016, and in subsequent filings with the Securities and Exchange Commission. Although we believe that the expectations reflected in such forward-looking statements are based on reasonable assumptions, we can give no assurance that our expectations will be achieved. Except as otherwise required by law, OTI disclaims any intention or obligation to update or revise any forward-looking statements, which speak only as of the date hereof, whether as a result of new information, future events or circumstances or otherwise.
EMV deadlines have arrived, but many choose to skip the upgrade. EMV is still split into two big camps. One that is compliant and the other which will be, but not yet. Our prime supporting sponsor for this update is KioWare. Thanks!
Richard Slawsky is an Educator and freelance writer, specializing in the digital signage and kiosk industries.Louisville, Kentucky Area
Which costs more, complying with new regulations or not complying and hoping for the best?
The question is particularly relevant when it comes to kiosk deployers complying with Europay, Mastercard and Visa (EMV) regulations. Invest in upgrading equipment, or run the risk of being hit with chargebacks and fines in the event of fraud?
Although the lack of clear incentives or financial impacts have prompted some to skip those upgrades, it may be wiser to begin the planning process now. When the inevitable kiosk fraud case makes headlines, it will likely set off a compliance rush that may leave some deployers waiting months or years to get their devices upgraded and certified.
Meeting EMV deadlines
The Wikipedia entry for EMV defines it as “a payment method based upon a technical standard for smart payment cards and for payment terminals and automated teller machines that can accept them.” EMV “smart cards” store their data on integrated circuits in addition to the traditional magnetic stripes.
The Path to EMV
CC readers as keyboard wedge. They take input & then act like a keyboard echoing out the numbers thru port.
Credit companies keep data on unprotected and unencrypted servers.
Europe sees better way & requires solid encryption paired with a PIN (aka Chip and Pin).
The US defers requiring that for time being and does not follow Europe’s lead.
Growth of Internet and rise of credit cards Mastercard and VISA in US agree that encryption is a good thing. Maybe even a PIN…
EMV liability timetable put in motion. ATMs hugely affected (in US only) as are retailers.
CC readers add encryption in advance. Magtek and IDTech good examples. Instead of open Keyboard Wedges we now have encryption capabilities. No chip, though, and no PIN.
Deadline nears – everybody knows it is time to use chips, assuming liability for not doing so is above profit threshold. Somebody that does relatively small transactions will never be a target for stolen credit cards (Redbox e.g.). Does liability outweigh cost of upgrading, and affecting bottom line and potentially share price?
Signature used or zip code as presumed id token.
Data systems becoming more secure with better firewalls, less physical access, and encryption but most are not.
Big incidents (Target) increases pressure to upgrade all systems. Target’s backend was entry point via a vendor with free malware.
Nowadays EMV means getting a chip reader. It means securing the back end (ask Equifax…).
It used to mean signature too but no more.
Does not mean a PIN. With some consumers carrying multiple cards, it is impossible for them to use a secure PIN for each card because they’ll never remember.
Card data remains relatively safe on the front end (with CHIP) though there are many who still swipe (40%?) and IT Departments pay more attention to security on back end. One could argue penalties for breaches be increased as money is best motivator. See HIPAA privacy.
Because the chips are supposedly impossible to clone, smart cards offer vastly improved security compared with magstripe-only cards. But while smart cards include a magstripe along with the integrated circuit for backwards compatibility, the improved security only applies when used with an EMV-compliant card reader.
Although EMV compliance is an ongoing process in the United States, EMV technology has been standard in Europe for years with chip-and-PIN standard and contactless payment cards exploding.
“The card I use for business is probably 60% chip and pin 40% contactless by number of transactions, and I don’t think I’ve ever been asked to confirm a contactless payment by providing my pin,” said Nigel Seed, who runs KioWare Europe now. “A lot of people simply mistrust contactless and refuse to ever use it, in fact some people contact their bank and tell then to send them a replacement card without that facility, but busy metro type professionals typically do use it more than the average.”
To incentivize businesses to upgrade their card readers to EMV-compliant devices, the four major U.S. credit card issuers – Visa, MasterCard, American Express and Discover – established Oct. 1, 2015 as the deadline when credit card fraud liability will shift to merchants or processors if they do not have an EMV payment system ready.
If fraudulent card use occurs at a merchant that has not upgraded their equipment to EMV technology, the merchant eats the cost of the chargeback along with any fines or fees that may be levied. If that merchant’s processor has not made an EMV-compliant solution to the merchant, or if the card issuer has not issued EMV-compliant cards to its cardholders, the processor or card issuer assumes the liability.
Despite that deadline, though, deployers of self-service devices have been slow to bring those devices into compliance with EMV, in part due to the complexity and cost of upgrading. Making a kiosk or other self-service device EMV-compliant isn’t simply a matter of swapping out a card reader. Along with upgrading the payment terminal and software, other infrastructure involved in the transaction, such as data storage devices, must be upgraded as well.
EMV compliance affects all systems involved in the payment process, not just the payment terminal. Data warehouses are likely the biggest target of all and the eventual destination of data provided at a public terminal. If a retailer takes that highly encrypted data and then stores it as plain text on some in-house data warehouse that thru the vagaries of Microsoft networking is accessible via a simple vendor logging into a portal, they are vulnerable to EMV compliance issues.
In addition to upgrading hardware, compliance also involves the processor and the card issuers certifying that transactions are originating from an EMV-certified device, and that all software and middleware is PCI-DSS complaint as well as being compliant with international operability standards established by EMVCo, the consortium that manages EMV standards. That process could take several months.
What About A Pin Pad?
When do I need a PIN pad? Here are the basics:
The United States has historically had two kinds of Cardholder Verification Methods (CVM); PIN for debit transactions and signature for credit transactions at attended terminals. A signature was not valid for unattended scenarios under the logic that a kiosk can’t check an ID or signature.
In recent weeks card brands declared Signature to be obsolete and optional in the United States. This really had no impact on unattended as the standard for unattended credit purchases was No CVM.
The vast majority of debit cards issued in the US are called “dual application,” meaning they also carry one of the card brand logos and as such can be used on both debit networks (with PIN) and credit networks (optional signature). Think of the phrase ”Visa check card.” The transaction is performed on the credit network, but the money really comes out of your checking account as opposed to a line of credit.
Acceptance of PIN debit at a kiosk is optional, although there are cases where acceptance of debit is beneficial, such as bill pay kiosks where transactions could be potentially very large. This would be advantageous to a bill pay kiosk businesses when you consider a debit transaction has a fixed cost, while a credit transaction has a percentage of the sale amount fee.
From the perspective of fraud protection it is sort of a non-factor because crooks don’t go around paying their bills with stolen cards. In the case of a kiosk in the mall selling $200 headphones, though, it would be advantageous from a cost of transaction perspective as well as the prevention of card fraud and product loss.
Deciding if having a PIN pad on the kiosk is right for you really comes down to a few factors:
What is the average sale amount, and considering that amount does the potential savings of the fixed cost of a debit transaction vs the % cost of a credit transactions justify the increased hardware cost of adding a PIN pad for debit acceptance? Essentially, what is the ROI of the PIN pad and ability to accept debit?
What is the risk and true cost of loss of product at my kiosk, and does that warrant the cost of a PIN pad?
As an example, let’s say a photo kiosk sale amount maxes out at $50, and using an estimated credit transactional cost of 3.5% as a baseline, transactions will cost $1.75 to run as credit. Given debit transactions typically hover around $1.25/$1.50, the outcome of the financial decision tree says maybe the increased solution cost of the kiosk with PIN pad isn’t showing a strong ROI, or at least one that cannot be realized in the short term.
Furthermore, the risk and cost of lost product is low, and it will take selling a lot of prints to make up for the cost of the PIN pad. In this example it would make sense to forgo PIN debit acceptance at the kiosk and instead process debit cards over the credit network.
“Each payment processor generally drives their own certifications, so timing varies pretty dramatically between payment processing certification teams,” said George Hudock, who handles business development with Datacap Systems, a developer of integrated payment systems.
“Most kiosk providers will use a third-party payments solution to avoid the on-going EMV certifications and maintenance, so most are able to avoid the EMV certifications directly,” Hudock said. “However, EMV certifications for unattended devices generally take 3-5 months once queued.”
Although it’s difficult to tell how many non-EMV-compliant kiosks are out in the field, experts say 50-60 percent of point-of-sale terminals aren’t EMV compliant. It’s likely that the percentage of non-EMV-compliant kiosks is similar. Still, experts say it could be several years before the vast majority of self-service devices in the marketplace are brought in line with EMV regulations.
Overall, the EMV migration in the United States is proceeding as well and as speedily as anyone could reasonably expect considering the somewhat tortured circumstances in which it was launched and the technical complexity and costs of its implementation, said Leland Englebardt, Practice Leader, Financial Services at New York-based UpshotAdvisors.
“Remember, it was not long after Dodd-Frank was enacted, which required many significant changes in payment card infrastructure, economics and rules,” Englebardt said.
“We are beginning to see the results in less counterfeit card fraud, which is good for everybody,” he said. “However, the security of EMV is materially enhanced by adding point-to-point tokenization and encryption. As cyber-crime is now the most active and challenging area of payments fraud, it’s possible that in the near future we will see more mandates and/or liability shifts for those technologies.”
EMV confusion still reigns
Part of what seems to be hampering EMV compliance is a lack of clarity on the part of deployers over where kiosks fall under EMV regulations. Is there a difference between attended and unattended devices? What about those that accept or dispense cash?
According to Visa’s Transaction Acceptance Device Guide Version 3.1, the term Unattended Cardholder Activated Terminal (UCAT) refers to an acceptance device managed by a merchant that dispenses goods or services, at which the card and cardholder are present, but the functions and services are provided without the assistance of an attendant to complete the transaction. These devices include cardholder activated fuel pumps, self-service vending units, and self-service payment devices in parking garages or at parking meters.
Devices that support cash dispensing and provide goods and services must comply with the Visa rules and regulations appropriate to the transaction:
• When dispensing cash, the device is considered an ATM and, therefore, must adhere to the Visa rules and regulations for ATMs. • When dispensing goods or services, the device is considered a UCAT and must adhere to the Visa rules and regulations for unattended purchases.
Although unattended devices (e.g., ATMs, UCATs) may dispense goods and services as well as cash, transactions involving a purchase with cash back are not allowed. In other words, an unattended device may dispense either cash or goods and services in a single transaction but not both. In addition, UCATs that dispense scrip are not addressed because the Visa rules and regulations prohibit Visa card products from being used for scrip transactions. (Scrip is a two-part paper receipt redeemable for goods, services or cash.)
Attended Cardholder Activated Terminals, such as self-checkout terminals in supermarkets, are not considered UCATs and therefore are not required to meet UCAT requirements.
The guide also mentions a third category, “semi-attended,” to describe Semi-Attended Cardholder Activated Terminals in the Europe Region.
If you want to benefit from low cost EFT like Verifone VX820 series (<200USD) and you want to install in Semi-Attended environment you should cover unneeded and unwanted functions by a plastic form.
Pyramid did it for instance in the McD Europe case. The customer can benefit from the low cost EFT and the “white” form embeds the EFT in an elegant and ergonomic way and in same time it covers the magnetic card function on the side of VX820 which would be not needed and would only make customers unsecure which way to use the device. With our embedded form, that ensures that the customer uses or NFC or Chip Card function.
“This has resulted in self-service manufacturers creating a third optional semi-attended solution, in conjunction with VISA, for those situations,” said Frieder Hansen, co-CEO of Germany’s Pyramid Computer. “Instead, for example, a plain IPP350 or 820 being used (attended), or for purposes of a UCAT using Ingenico 250 series, the third solution would be using an inspectable key-lockable option with a terminal like a 350.”
There is a perception that kiosks are always considered unattended from an EMV perspective, said Allen Friedman, VP of Payment Solutions at Ingenico Group.
“This is not always true,” Friedman said. “Some self-service implementations in attended environments where employee assistance is available, like at the grocery store, can be considered attended devices. If there is any time period where no assistance is available, then it is considered an unattended solution.”
There is also a card brand requirement for unattended devices to make a printed receipt available to cardholders for transactions above $15, Friedman said.
“Designs for kiosks intended to provide merchandise or services above that amount should include a receipt printer with their models to insure compliance,” he said.
Taking the risk
Although kiosk deployers are still asking for non-EMV compliant solutions, kiosk manufacturers seem to be coming down firm on needing EMV-compliant payment solutions for any custom deployment. New projects are likely to take EMV into account throughout the process.
On the other hand, some deployers are likely to stick with non-EMV compliant kiosks to the end of their lifespan.
“Deployers aren’t as educated on this as they need to be,” Laura Miller with KioWare said. “They think it doesn’t apply to them, aren’t aware of the risk or think that the risk isn’t high enough to warrant the additional cost.”
EMV-certified options are also still relatively limited, so kiosk providers’ preferred payments providers may not yet have an EMV-certified option for unattended applications.
“Kiosks are also expensive to upgrade to EMV due to a required change in casework to accommodate the updated EMV device,” Hudock said.
EMV & Cloud Services
EMV credit transactions thru the cloud makes things easier. Keyboard wedge changed to HID changed to USB and now changes to Ethernet. A hospital environment with a copay for example in old days would require direct integration between the check-in device and the credit terminal. Which payment processor becomes an issue along with who writes the code.Nowadays you can offload the credit portion via cloud services and all that is required on the check-in or check-out terminal is simple HTTP and JSON call for authorization. The credit device takes over, conducts the transaction (thru preferred provider) via EMV certified kernel and then notifies the check-in/check-out that the transaction is complete.
You eliminate the development cost, and the credit devices can be leased monthly to reduce the upfront cost of going EMV.
You do need an ethernet connection though.
“The kiosk industry is more fragmented than retail/restaurant,” Hudock said. “This means that there are often multiple constituents involved in delivering the kiosk that need to be involved in the upgrade process, including hardware OEMs, software developers, payments middleware providers, payment processors and installers. Kiosk upgrades tend to take a little more time and planning than retail/restaurant due to the number of involved parties.”
Some of the reluctance for kiosk deployers to adopt EMV is understandable. If the kiosk is near the end of its life cycle, a deployer may choose to ride it out until it’s time to replace the entire device. In addition, the relatively low transaction averaged for many kiosks translates to less overall chargeback risk, which in turn means less incentive to upgrade.
Should a deployer choose to skip making their units EMV compliant, though, at the very least they should place additional attention on security to minimize the possibility of fraud. Those steps could include data clearing technology and secure browsers, end session on a particular page, session timeouts and so forth. In addition, point-to-point encryption and tokens are valuable security measures. P2PE ensures that card data is encrypted at the time of card insertion and maintains that encryption until it’s routed offsite. Tokens ensure that card data is not stored locally for voids or recurring transactions.
“There is less risk of internal compromise of data for a kiosk due to the hardened nature of the casework, but the largest card data security problem facing kiosks is likely card skimmers,” Hudock said. “Because these are generally placed on top of an existing reader, the card is skimmed before security measures like encryption or EMV would have any impact. Merchants need to periodically check their kiosks to confirm that they haven’t been tampered with.”
And as EMV cards and terminals become ubiquitous, banks’ authorization parameters may evolve to limit fallback approvals.
“A kiosk operator who doesn’t upgrade to EMV may find it harder and harder to get a positive mag stripe authorization,” Englebardt said.
“Notwithstanding the liability shift, banks seek to avoid the risk of counterfeit card chargebacks that trigger replacement/reissuance costs and cardholder attrition,” he said. “So revenue erosion is an additional long term business risk for kiosk operators not adopting EMV.”
Other Problems with EMV
So you reside in U.S. and all your cards (for the last year) are the sturdier Chip cards right? And no problems since right?Well, not exactly. The process of manufacture still has kinks. Personally two of my cards have failed just due to electronic failure (both of them from Chase). So malfunctioning cards are a problem.
My Chip cards have needed to be replaced due to fraud instances twice (rarely did before). I am a low volume very restricted credit card user (except for online accounts). Why the increase of breaches?
At the end of the day, though, what’s likely to motivate deployers to upgrade their devices will be the news of a major chargeback and fine associated with a device that wasn’t EMV-compliant.
“There are beginning to be some fines but not publicized and none that would be considered punitive by any measure,” said Geoff Leopold, division manager with Heartland Payment Systems. Still, it’s likely just a matter of time before a major incident occurs.
In addition, some payment processors have begun charging their customers EMV non-compliance fees. Those fees can vary, coming as a flat monthly or annual charge or a percentage of the deployer’s processing volume.
“The bottom line is that processors and banks want you to move to EMV equipment because it’s more secure for everyone,” write Ellen Cunningham in an article on the website CardFellow.com. “If you’ve been holding off on EMV-capable equipment you may want to think about upgrading before more processors begin imposing expensive fees.”
How EMV works.
EMVCo manages EMV specifications and related testing processes. This includes, but is not limited to, card and terminal evaluation, security evaluation, and management of interoperability issues. EMVCo is a consortium with control split equally among Visa, MasterCard, JCB, American Express, China UnionPay, and Discover.
US Payments Forum — The U.S. Payments Forum (the “Forum”) is a cross-industry body focused on addressing issues that require broad cooperation and coordination across many constituents in the payments industry. Part of Secure Technology Alliance (see below).
The EMV Connection website provides up-to-date EMV migration information and educational resources. One of those is Chip Cards Facts-at-a-Glance. It is now US Payments Forum.
EMV Resources page of the Card Acquiring Service (CAS). Offers information and links to helpful EMV information, including the federal government’s move to EMV chip and PIN-enabled card acceptance.
Secure Technology Alliance — The Alliance brings together leading providers and adopters of end-to-end security solutions designed to protect privacy and digital assets in a variety of vertical markets.
Industry observers agree the unattended sector has lagged attended retail in adopting EMV. Payment equipment manufacturers have introduced a number of EMV-compliant devices, but many terminals have yet to implement them.
John Menzel, senior self service solutions manager at Ingenico Group, a leading payment equipment manufacturer, recently offered his insights on progress in the self service sector toward EMV compliance.
Following are Menzel’s answers to questions posed by Kiosk Marketplace.
Q: What is the current state of EMV adoption in self-service?
A: EMV adoption in the self-service industry is still in the beginning stages of adoption. However, there are steps being taken from both a hardware and software perspective to increase the security of the payment devices deployed in self-service.
This includes PCI-certified devices running in a point-to-point-encrypted environment with secure read encrypted device capability, known as SRED. In this manner, all card data is encrypted at the time of the transaction to ensure security. This is an interim step before full EMV compliance.
Q: How do EMV compliance regulations affect kiosk operators?
A: Gaining EMV compliance is a process which needs to be completed any time a new combination of payment device, software and gateway/processor is created. The steps taken include utilizing PCI-certified devices, working with qualified security assessor auditors, working with certified payment gateway providers and changing the flow of the software applications to support EMV tags, etc.
So it is a step-by-step process that is a different motion and requires different partners than operating in a nonsecure world. Couple this with the fact that many operators don’t feel the need to upgrade, since they are not currently liable for fraudulent transactions under $20.
Q: What are the benefits of EMV technology?A: There are many benefits of utilizing a PCI-certified EMV solution, including insuring not only end-to-end security of the payment transaction, but insuring rogue devices and skimmers can’t be inserted or card readers removed without anti-tamper switches going off.From a consumer perspective, it gives them confidence to utilize their payment cards when making a purchase at an EMV-enabled self-service kiosk, which provides a similar experience to that which they are used to at a brick-and-mortar retailer.
From an operator perspective, it gives them the future protection of being EMV compliant, especially as higher ticket items are being offered from unattended solutions, like Best Buy’s kiosks.
Q: How does EMV acceptance improve the customer experience?
A: The more the self-service industry can emulate the brick-and-mortar experience, the better. Consumers are now used to inserting their chip cards into EMV readers at supermarkets, retail stores, quick-serve restaurants and more. Consumers understand EMV use — dipping their chip card into a reader — is supposed to be more secure. Implementing EMV at self-service gives them that security and confidence.
Q: How can kiosk operators seamlessly make the switch to EMV?
A: I wouldn’t call it a seamless experience to upgrade from non-PCI compliant, non-EMV solutions. It is more an evolution with incremental steps being taken.
This includes utilizing PCI-certified payment devices, upgrading the software applications to be EMV compliant, utilizing payment gateways that can operate in P2PE manner and undergoing quality security assessor audits of the end-to-end solution.
The future state of self-service is turning the kiosk into a stand-alone store, and secure payment is one of the services that needs to be offered and integrated into the solution for it to be effective.
Elliot Maras is the editor of KioskMarketplace.com and FoodTruckOperator.com.
Ingenico EMV Q&A – EMV adoption in the self-service industry: What’s taking so long? was last modified: April 20th, 2018 by News Editor
“This partnership delivers an affordable, semi-integrated EMV solution for self-service markets,” said Scott Dowty, chief revenue officer at Apriva. “Kiosk retailers, micro-markets, vendors and other self-service merchants can increase their revenues by accepting more forms of cashless payments, easily integrated via Windows or Linux SDK, and reducing their PCI scope through end-to-end encryption.”
The interactive self-service OTI kiosk payment solution is available in the U.S. through OTI’s Las Vegas-based distributor, Unattended Card Payments Inc.
Apriva & OTI Partner for Exclusive Client-Friendly Payment Solution in the North American Market was last modified: November 7th, 2018 by Kiosk Industry
In UK shops that use the technology, including supermarkets such as Waitrose, there were reports of long queues, and several businesses took to social media to advise customers to bring cash with them.
Seems like the Cabbies really took the hit.
Verifone back online after outage on card machines was last modified: May 18th, 2018 by Kiosk Industry
Reprinted with permission.. Protect Yourself From Fraud and Identify Theft In 2018 Fraud protection. Unfortunately, we live in a time when identity theft and fraud are running rampant. Almost every month we hear of major security breaches, with companies like Yahoo, Uber, Equifax, and Dropbox all compromised. When these types of breaches occur, millions of usernames and passwords are hacked, often resulting in identity theft and fraud. So what can you do to protect yourself in 2018? What steps can you take to ensure that you don’t get hacked? We’re going to break down the how, what, and why of protecting yourself, touching on everything from your digital accounts to … Continue reading Protect Yourself From Fraud and Identity Theft In 2018 →
Customs Duty Payment Kiosks Upgraded to EMV While Passing Ten-Year Milestone
November 14, 2017 – YORK, PA. Bermudians love to travel and shop, in fact Bermuda residents are among the most traveled populations in the world. In 2006, Bermuda’s H.M. Customs authority recognized the need to help speed travelers through the arduous task of completing a declarations form and paying duty tax. HSBC, the world’s largest bank, and their Bermuda branch saw the opportunity to help the local government and commissioned Livewire Digital to create new self-service terminals to electronically calculate and pay for the duty tax assessed on purchases made abroad.
Since going live in May of 2007, over 100,000 travelers have used the kiosks annually to complete the declarations process and pay their duty tax via credit card. The kiosks have undergone several minor hardware and software upgrades throughout the past ten years, although the most significant upgrade for security purposes has just been completed. When EMV payment technology became readily available for the self-service market in 2016, HSBC and Livewire began the planning process to update the outdated card swipe equipment with new EMV-based processing that offers point-to-point encryption of card data and secure chip-and-pin security to card holders. The duty payment kiosks now feature Ingenico smart terminals to allow payment via card swipe with signature, chip and pin entry, and NFC/contactless reading. Livewire’s payment gateway partner, FreedomPay, provides the PCI certified process that ensures complete security of HSBC’s customers’ payment card information from the point of data entry to the card processor’s servers.
“It’s great to see systems such as this evolve to continually improve security and the customer experience” said David McCracken, Livewire Digital’s President and CEO. “It’s hard to imagine that these kiosks have been in place for over ten years now and required very little TLC throughout that time span. I believe that points back to the robustness of the original process that HSBC and Livewire designed together, as well as the self-service hardware and software expertise that Livewire has built over the past twenty years.”
About Livewire Digital
Livewire is a leading provider of transactional self-service payment kiosks. Livewire’s many turnkey solutions increase revenue and productivity for its customers, while lowering overhead and providing seamless integration. Livewire provides cutting-edge software, hardware, and system integration, bringing the necessary puzzle pieces together to increase customer engagement and create a better end-user experience. LivewireDigital.com
Customs Duty Payment Kiosks Now EMV was last modified: January 18th, 2018 by News Editor
Why? Well, some call it the “curse of the POS terminal,” where nearly two years after the 2015 POS liability shift, fewer than 50% of merchants have upgraded their POS terminals to EMV. For a number of reasons, many of these procrastinators have yet to be burned by chargebacks.
by: Daryl Cornell –Less than a month before the VISAATM liability shift deadline, you would think we would be in the midst of a frantic, last-ditch effort to upgrade or replace all remaining non-EMV ATMs. Well, you would be wrong. Instead, we hear crickets. To be clear, we are talking about another 75% of all ATM transactions which will be at risk for fraud chargebacks in less than a month (MasterCard’s 25% share of ATM transactions has been at risk for nearly a year). So why the lethargy here? Is “ATM-ageddon” real or just more fake news? Here are the latest estimates on the ground, along with some likely outcomes later this year:
Banks and IADs have largely completed their ATM EMV upgrades. While there are exceptions at the local level, banks are for the most part ready for the final ATM EMV liability shift on October 1. Of the roughly 125,000 bank ATMs in the U.S., estimates are that over 110,000 will be EMV ready this October. The remaining non-EMV ATMs are owned by banks which tend to be smaller and who don’t view themselves as fraud targets. In addition to banks, it looks like more than 75% of IAD-owned ATMs will be EMV ready by October. This equates to roughly 135,000 EMV-capable ATMs out of a total estimated IAD population of 175,000. The remaining 40,000 or so IAD ATMs will present more of a challenge. Some are not upgradeable. Many are in low-transaction or low-margin sites which may be culled. While contracts may call for merchants to bear the expense of EMV upgrade, these provisions have proven difficult to enforce. Hard decisions will need to be made by IADs on these non-EMV ATMs regarding risk assumption, upgrade in conjunction with contract renewal or outright removal. The jury is still out on the level of retail ATM contraction we will see here.
Merchant-owned ATMs are NOT EMV ready. It is the estimated 200,000 merchant-owned ATMs which are the real wild card in the looming liability shift deadline. Currently, fewer than 20% of these ATMs are estimated to be EMV capable. That leaves some 160,000 merchant-owned, non-EMV ATMs exposed to both fraud and chargebacks in little mor than a month. Why? Well, some call it the “curse of the POS terminal,” where nearly two years after the 2015 POS liability shift, fewer than 50% of merchants have upgraded their POS terminals to EMV. For a number of reasons, many of these procrastinators have yet to be burned by chargebacks. These merchants argue that it makes perfect sense to take a “wait and see approach” before upgrading or replacing ATM hardware. Plus, the gas deadline, originally scheduled for this year, has now been extended to 2020. And there’s always a chance for a last minute ATM reprieve, right? Perhaps, however we are talking about cash, combined with persistent, sophisticated criminals and mag stripe fraud totaling $ billions annually. Whether these non-EMV ATMs will be turned off or whether IADs, sponsor banks and processors allow merchants to play “liability shift Russian roulette” will ultimately determine the number of merchant ATMs still operating after October.
ATM contraction is still a likely outcome. Clearly the stakes are high when it comes to liability shift on non-EMV ATMs. Mag stripe ATMs will probably still total over 200,000 at the onset of the VISA liability shift. Unlike POS, retail ATMs and their cash are high-value targets for fraudsters. Will VISA and the other networks blink and continue to absorb fraud losses at non-EMV ATMs? Will IADs be able to rely on contract provisions to protect them from those chargebacks which do flow? Is the liability shift risk worth the reward at these generally low transaction sites? While the answers to all of these questions will determine the degree of contraction, it would appear that there will be far fewer retail ATMs in operation in the U.S. by early 2018 – as many as 40% fewer.
Finally, given the 60-90 days it takes chargebacks to wind their way through the system, we could see a fair amount of coal in merchant stockings this Christmas Season.
T-Minus Forty! – ATM Armageddon and EMV was last modified: October 18th, 2017 by Kiosk Industry
When it comes to mobile apps vs. kiosks in the restaurant field, here’s why some experts give the edge to using a self-service ordering device over a mobile app:
What has made kiosks particularly enticing to consumers is their efficiency.
Customers want to buy products that are easily available, within their budget and present the required information pertaining to ingredients, product details, nutritional value and others. Products and information provided at kiosks quickly cater to those demands.
“When kiosks first came along, there was a learning curve for users,” Vasa said. “It took them some time to figure them out. As time has gone on, kiosks are everywhere. Exposure has helped people understand the technology and become more comfortable with it. Kiosks no longer are seen as potential obstacles, but rather as necessities.”
Juke Slot develops automated technology designed to facilitate faster service and provide entertainment for consumers in the casino, hospitality and restaurant industries. Its Android-based kiosks’ sole purpose is to provide faster service and entertainment to the everyday public environment, with customized application capabilities based on customer needs.
The company’s device provides a tableside ordering, custom designed EMV-certified hardware solution that enables secure transactions. Juke Slot’s lineup also features a standup touchscreen kiosk aimed at the quick service industry.
Juke Slot focuses on giving its customers more control of their operation — over their customer ordering process, over their onsite marketing and over their business processes.
For more information or to purchase Juke Slot’s software or kiosks, email email@example.com.
Kiosks vs. Mobile Apps: A Face-Off of Restaurant Tech was last modified: October 18th, 2017 by Kiosk Industry
When a merchant wants to accept payments through their unattended kiosk, they are faced with many processing choices and industry complexities. Whether forming multiple direct integrations to processors or utilizing one-to-many processing solutions provided by middleware or gateways, kiosk operators and merchants have a lot to consider.
A payment integration to a gateway or processor can require a great deal of time and resources. Kiosk operators also need to assess ongoing remote maintenance and how to support multiple integrations. In addition, there are various industry, regulatory and compliance requirements (like EMV and PCI DSS) to follow, as well as value-added security features such as end-to-end encryption or tokenization for recurring payments to consider. The payment process and user interface must attract and retain the customer through the entire payment process. As most kiosk users are untrained, transaction abandonment is common with a slow or cumbersome user interface.
This whitepaper will evaluate the benefits and costs of integrating payments via a gateway versus via direct processor connections, plus explore the other potential value points a gateway partner can provide kiosk operators and merchants.
Gateways and Payment Processors Defined
With the payment landscape growing more complex every year, merchants are seeking more sophisticated technologies to help them accept diverse forms of payment and integrate payment data with their other systems, such as inventory management, accounting and more. Kiosk operators need systems designed for ease of use, speed and security, and payment gateways and payment processors are two of the most widely used solutions for payment acceptance.
A gateway is essentially a secure cloud-based platform that connects credit card payments from merchant points of sale (POS) to their processors, thereby facilitating the authorization and settlement of payment transactions. Why have a gateway in the middle of this important relationship? The short answer is for security and flexibility, but the details and other benefits will be expanded below.
A payment processor is a company (often a third party) appointed by a merchant to handle transactions from various channels, such as credit cards and debit cards for merchant acquiring banks. They are usually two types: front-end and back-end processors. Front-end processors have connections to various card associations and supply authorization and settlement services to merchants. Back-end processors accept settlements from front-end processors and move money from issuing bank to the merchant bank.
Pros and Cons of Leveraging a Gateway
Gateways provide several benefits to kiosk operators that are integrating payments into their offerings:
A single connection to a gateway leverages that gateway’s multiple connections to many processors, enabling kiosk operators to have more freedom to choose their processor partners and accommodate a broader customer base with very different payment needs. Connecting once to access multiple payment processors is much more cost-effective and efficient than creating multiple direct processor connections.
Access to the gateway provider’s reseller base, which gives kiosk operators connections to potential channel partners and greatly increases growth opportunities.
PCI DSS compliance of each processor connection, securely routing card data from the POS system to the processor of choice—again all delivered via the single connection to the gateway.
Access to PCI scope-reduction tools, like end-to-end encryption, EMV and tokenization, which limit the kiosk operator’s exposure to handling sensitive card data and potential fraud.
Lower upkeep and maintenance costs due to the fact that the gateway provider handles the bi-annual card brand releases and enhancements required by card brands and processors.
The price of leveraging these gateway benefits is typically a gateway transaction fee—an expense in addition to the interchange fees charged by processors. While the gateway fee is typically nominal, the expense can add up over time as transaction volumes grow.
Pros and Cons of Direct Connections
The main benefit of direct connections is that they eliminate incremental transaction fees typically associated with gateways, because direct processor connections cut out the “middle man” with a select processor.
However, there are additional costs in both funds and time accompanying direct processor connections:
Merchant have fewer choices for payment processors—typically only the one processor is directly connected.
Kiosk operators are personally responsible for PCI compliance, which is an ongoing and labor-intensive process. Even when using a PCI DSS-compliant level one service provider, the kiosk operator will still need to adhere to any applicable PSI DSS obligations set forth by their acquirer, based on processing environment, volume of transactions and policies/procedures.
It takes a substantial amount of work (and, therefore, cost) to certify and maintain each individual connection, comply with PCI data security standards, and perform necessary updates for card brand and processor bi-annual releases. This can result in a very expensive, time-consuming and resource-intensive effort for kiosk operators who wish to handle payments processing development themselves.
Integrating with direct connections and certifying EMV transactions for every chosen processor requires several steps, each of which can each take weeks or months to complete:
Submitting and getting approval from the payment processors for an EMV Application Request
Assigning a Certification Analyst and acquiring Magnetic Stripe Reader (MSR) Certification
Completing pre-certification EMV Testing
Completing subsequent EMV certification with individual card brands (These certifications are device- and processor-specific, and separate for Visa, MasterCard, Discover and AMEX)
Repeating this process for each connection is extremely costly to initiate and maintain. Kiosk operators must certify each desired hardware to each desired processor, and any alterations to the payment application requires a new EMV certificate.
EMV for Kiosk Operators
With the implementation of EMV cards in the U.S., kiosk merchants are seeing improved security for consumers and decreased fraud for merchants. With these benefits, come a few challenges, the first of which is that kiosks are usually unattended devices. Since the kiosks are not using a basic POS terminal, an original equipment manufacturer approved for unattended use is needed for Level 1 EMV compliance. Level 1 EMV compliance relates to the hardware housing the terminal, which must have a higher degree of security to prevent people from accessing the keys to the data. The next stage of EMV compliance (Level 2) refers to the software. Transactions happen between the POS device and bank exclusively, removing liability from the kiosk operator.
EMV compliance can be complicated and costly, but it marks a significant shift in liability in the U.S. Using a secure payment gateway can help to streamline this process for kiosk operators and remove the burden of securing EMV certifications for each payment type.
Other Benefits of Gateways for Kiosk Operators
While direct integration can be time-consuming and expensive, integrating with a gateway provides kiosk operators with several key benefits that reduce ongoing operational costs, labor and maintenance.
More Options and Flexibility
Gateways typically enable the ability to connect to more processors than direct connections so merchants have the freedom to choose the partners that work best for their business. The more connections and channel partners that your gateway provider offers, the more flexible payment options that are available for kiosk merchants. With customer analytics growing quickly, kiosk merchants can provide a customized experience for their users, including user recognition through card number, email address and more.
Be sure to select a gateway provider that has a reputation for top-notch safety and security. Features to look for include advanced security features like end-to-end encryption, tokenization and hosted payment screens, in addition to EMV compliance for a comprehensive layered security approach.
Gateway technology can be tailored for a variety of niche markets like vending, parking, car washes, golf courses, and ticketing, plus a wide array of traditional payments terminals, so look for a provider that meets your specific vertical market needs.
Semi-Integrated Solutions to Save Time and Effort
Semi-integrated solutions allow kiosk operators to add EMV support quickly and easily using their existing payment solutions, saving significant time, effort and resources. EMV reduces the liability for kiosk merchants, shifting more liability to the cardholder’s bank, significantly reducing risk to the kiosk merchant.
Increased Growth Potential
Gateway providers sometimes have a large reseller base. For those that do, granting kiosk operators access to the gateway’s reseller base gives those kiosk operators connections to potential channel partners, greatly increasing growth opportunities.
Speed & Service
Gateways should provide a consistent level of service to enhance the payment process for the customer. Speed of a transaction is especially important during heavy use. A slow system can drive customers away during the payment process and reduce the sales volume. Kiosks must be able to function well at a high volume without the system slowing or shutting down.
Dynamic Routing for Fast and Easy Payment Device Management
Gateways should feature dynamic routing across platforms and services, meaning devices are boarded once and can send transactions anywhere. This consolidates payments and data from different platforms into one simple, easy-to-use interface, and translates across reporting, risk management and billing for all devices, which dramatically reduces the work required to maintain these connections. As kiosk users are generally untrained, a fast, reliable experience is required to maintain current users and gain new users. Sales are often abandoned due to system delays or an interface that is not user friendly. Look for a gateway provider that allows acquired portfolios of devices to easily be added, and supports functions like recurring billing.
Some gateways can convey preferred rates for small-ticket Visa and MasterCard transactions, further validating the ROI of connecting to a gateway, especially for kiosk markets with lower average sales tickets.
Flexibility to Support New Technology
Gateway providers continually add support for new payments technologies as they emerge, which helps future-proof solutions and keep them compliant with updated PCI regulations. Ensuring the kiosk merchants can utilize the latest mobile options, such as Apple Pay, Wallet and more with a future-proof solution.
Which Integration Path is Right for You?
Establishing and maintaining individual connections with processors may seem more empowering and cost-effective at first glance, but it can be quite costly and resource-intensive over the long term. Many payments solution providers are turning to gateways to provide their merchants (and customers) with more options. However, each kiosk provider or merchant must weigh the pros and cons, and choose an integration path that works best for their business.
The extension of the solution to kiosks is part of our on-going plan to transform branches for the digital age of banking and give our customers advanced services and a seamless experience,” said Saleh Alzumaie, General Manager Retail Banking Group for Al Rajhi Bank.
“This is the first deployment of our instant issuance technology in self-service kiosks in Saudi Arabia and, since its introduction in January, the number of cards being produced this way has increased threefold.”
Al Rajhi Bank deploys Gemalto’s instant EMV card issuance solution in new self-service kiosks was last modified: October 18th, 2017 by Kiosk Industry
Excerpt — NEW YORK CITY — Ingenico Group said year-over-year shipments of its iSelf Series cashless payment systems grew more than 200%. New additions to Ingenico’s unattended partners program, launched a year ago, have accelerated sales, the company reported. Ingenico products are used by the vending, education, retail, hospitality and parking industries.
Ingenico Group said it saw its single largest deployment of unattended payment solutions in 2016. New unattended partners include Vengo Labs, which makes a wall-mounted touchscreen vending machine, along with Bank of America, Bluefin, Shift4 and Vantiv. The program’s 22 members consist of kiosk, value-added and payment solutions providers. It also serves system integrators that create the ecosystem necessary for secure unattended payments.
Ingenico’s PCI-certified iSelf Series is EMV and NFC capable. The all-in-one iUC285 contact and contactless standalone module for self-service businesses is the most popular terminal/reader in the series. Over the past two years, the company says it created more than 10,000 purchase points with its unattended terminals.
Connected Technology Solutions, Flex, Image Manufacturing Group, Kiosk Information Systems, Olea Kiosks, SlabbKiosks and Zivelo are other kiosk makers that use Ingenico’s products. Intouch, Livewire and Nanonation are among the system integrators working with Ingenico.
Ingenico Group’s Unattended Partner Program Drives Deployment Of Cashless Terminals On Kiosks was last modified: October 18th, 2017 by Kiosk Industry
Using the KioPay Point of Sale kiosk application and the Franklin Bill Payment kiosk by Olea, retailers can now deploy a fully integrated cash accepting kiosk for order processing and fulfillment. Learn more…
Queueing theory is the study of waiting in lines. Actual and perceived wait time can be positively impacted with the implementation of kiosks, effectively improving customer satisfaction, decreasing wait time, and increasing the number of transactions. Learn more…
KioWare Whitepaper Review: Video, EMV, Android, Cash Kiosk was last modified: October 18th, 2017 by News Editor
EMV system compliance has taken longer than many expected due to the complexity of integrating certified hardware with software and processors. Part 1 in a two-part series explores why the transition has taken so long, especially in the unattended retail sector.
“It does seem like it could be going better on the deployment side,” said Frank Olea, CEO of Olea Kiosks Inc., a kiosk designer and manufacturer. He said the payment processors have to become familiar with EMV-compliant hardware, which takes time.
“The retailers all have to change to this technology, so there is a rush on equipment, and there’s a rush on certification,” said Paul Burden, director of software a Meridian Kiosk.
“EMV requires communication in both directions [between the processor and the chip card],” said Greg Burch, vice president of strategic development at payment equipment manufacturer Ingenico Group. “The complexities of that are much more than traditional magstripe.”
“It’s a more complicated integration,” agreed Rob Chilcoat, president of operations at UCP Inc., an EMV compliance consultant that assists companies with EMV migration. “Every link in the chain has to be certified.”
“These smart terminals actually package and encrypt the data before it ever leaves the device, which is a concept called point-to-point encryption,” Chilcoat said. “Combined with Derived Unique Key Per Transaction, that is what ultimately provides the security assurances to the merchants and the kiosk providers that their system won’t ever be the source of a significant breach of customer card data.”
A year after the US deadline, EMV compliance lags: Part 1 — What’s causing the delay? was last modified: April 19th, 2018 by Kiosk Industry
October 19, 2016 – YORK, PA. Livewire Kiosk is pleased to announce the integration and certification of the FreedomPay EMV payment processing system. The FreedomPay solution offers EMV compliance using Ingenico’s iSelf Series of unattended devices with processors including Heartland, First Data, and Elavon. Bundled with Livewire’s Self-Service Commerce platform and eConcierge® Content Management System, the FreedomPay/Ingenico integration provides fast processing of EMV-compliant payments while eliminating the merchant’s and consumer’s risk of credit card fraud.
The FreedomPay integration joins a list of other payment solutions that have been integrated into Livewire’s kiosk software, including Network Merchants, Authorize.net, First Data’s Payeezy, Frontstream, Credit Call, and Tempus. Livewire’s Transaction Processing Engine powers solutions worldwide such as event ticketing, token purchases, duty tax payment, product vending, gift card exchange, and entertainment systems. Initial deployments utilizing FreedomPay include cover charge collection kiosks for an upscale night club in Boston and a state vehicle registration renewal kiosk.
About Livewire Kiosk
Livewire is the Power to Connect, creating integrated software solutions for kiosks, digital signage, web sites and mobile applications, all managed from its eConcierge® Content Management System. Livewire’s transactional solutions increase revenue and productivity for its customers, while lowering overhead and providing seamless integration. Livewire provides cutting-edge software, hardware, and system integration, bringing the necessary puzzle pieces together to increase customer engagement and create a secure end-user experience. Learn more at LivewireDigital.com
What’s the difference between EMV compliance and PCI compliance? The short answer is they’re both guidelines for protecting cardholder data for the purpose preventing fraud, but they focus on different elements of the credit card transaction.
“To clarify it even further and more simply, PCI is about making sure the card data doesn’t get stolen and is secure in the first place and EMV is making sure if the data IS stolen that the content is rendered useless.” – CPI PCI and EMV: What’s the difference?
My goal for this article is to give a brief overview of each of these standards for protecting cardholders so you have an idea how they impact how you accept credit card payments at your self-service kiosk or POS.
The goal of EMV is to ensure the security and global interoperability of chip-based payment cards.
Includes robust cardholder verification (i.e. Chip and PIN). The particular verification method that is used depends on the card issuer as well as the POS where you make a purchase.
Prevents cards from being cloned through the use of microprocessor on the card which produces unique encrypted output each time the card is used to defeat card skimming.
The EMV specifications are managed by the privately owned corporation EMVCo LLC and was first published in 1995 through a joint effort by Europay, MasterCard, and Visa (hence EMV).
The goal of PCI is to protect cardholder data that is processed, stored or transmitted by merchants.
Follows common sense steps that mirror best security practices including building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks and maintaining an information security policy.
Requires regular vulnerability scanning by an ASV of Internet-facing environments of merchants and service providers.
Andrew Savala is the CEO of RedSwimmer Inc., creators of the kiosk lockdown software KioskSimple. Andrew has been developing kiosk software since 2007, with an emphasis on self-service retail payment applications.
EMV Compliance vs. PCI Compliance was last modified: October 18th, 2017 by News Editor
Parabit has received commitments from 7 of the top 20 Commercial US Banks for 10,000 plus units over the next two to three years. Over the last 4 weeks 3 US Commercial Banks have upgraded their ACS-1E systems with MMR’s or installed MMR’s with our ACS-1E ATM Lobby Access Control System at over 400 ATM Lobby locations.
Parabit Adds Mobile NFC / Contactless EMV Access Control to secure ATM Lobbies with Overlay and RFID Skimmer Detection was last modified: January 18th, 2018 by Kiosk Industry
Editors Note: New kiosk software release KioWare for Windows (Version 8.7)! New accessibility features are now available (such as ZoomText and JAWS for the visually impaired). Support for EZ® Access Keypad. (See upcoming Accessibility Seminar). Also added are a number of new devices, including an EMV compliant option using the Elavon processor via the OTI Trio (see UCP). Other devices that have been added include Raw Windows printer device support, monitored device support, barcode readers supporting SNAPI, Bill dispensers, acceptors, and recyclers.
Jim Kruper President of KioWare said, “New features in this release provide significant advances in our ability to support ADA compliant deployments and the expansion of options and devices available for transactional kiosk projects.”
Here are the details (note the new “Assistive Technologies” tab in the config tool image below):
Learn more about Accessibility at government site for ADA. Next seminar is 9/27.
Press Release Copy – Version 8.7 of KioWare for Windows is now available. This version adds extensive assistive technologies for visual and hearing assistance as well as a number of new devices such as barcode readers supporting SNAPI, new bill acceptors, dispensers & recyclers, raw printer support and more.
Analytical Design Solutions Inc. (ADSI) has released a new version of KioWare for Windows kiosk software, with new assistive technologies for improved accessibility.
KioWare kiosk software products lock down your device into kiosk mode, which secures the overall operating system, home screen and usage of applications.
support configuration settings can be found in the KioWare Config Tool’s new Assistive Technologies tab. Support for the ZoomText® Magnifier/Reader has also been added. ZoomText is a fully integrated magnification and screen reading program. Also found in the new Assistive Technology tab is support for the EZ® Access Keypad, software navigation keypads for people with mobility or sensory impairments. These features, now available in KioWare Lite, KioWare Basic, & KioWare Full for Windows, combine to help make your kiosk compliant with Section 508 and ADA regulations. These assistive technology applications must be purchased separately.
KioWare Basic and KioWare Full for Windows Version 8.7 has added a number of new supported devices and supported device types:
Raw Windows Printer device support
Any printer that installs a Windows driver
PJL Printer Monitoring Support
Barcode Readers supporting SNAPI
OTI Trio device support providing EMV support through Elavon
Fujitsu F53 Bill Dispenser
CashCode Bill Acceptors
MEI Bill Acceptors
MEI BNR (Bank Note Recycler)
KioWare for Windows (Lite, Basic, & Full) now requires Windows 7 or higher. With version 8.7, Vista will no longer be supported. The browser is now updated to Chrome 52. Additional features for Lite, Basic, & Full includes:
Ability to use “Scheduled Actions” settings to execute a command line
Support for mapping key combinations to actions (HotKeys)
Addin support for handling downloads
Context (right click) menu customization and support
New attract screen mode (simple attract looper) features
Great EMV kiosk case study by Creditcall on our KioskSimple integration with their EMV Payment Gateway. RedSwimmer was looking for a way to provide EMV compliance to users of their kiosk software, KioskSimple. The Challenge RedSwimmer was looking for a way to provide EMV compliance to users of their kiosk software, KioskSimple. Many of RedSwimmer customers are … Continue reading “Creditcall KioskSimple EMV Case Study”
How the EMV Kiosk Works
Both developers and business owners realized the need for an outside party in activating EMV compliance and this is where ChipDNA supported RedSwimmer’s client initiatives.
EMV Kiosk – Creditcall KioskSimple EMV Case Study was last modified: January 18th, 2018 by Kiosk Industry
Las Vegas, March 29, 2016 – SlabbKiosks, a leader in self-service technology, announced today that it has partnered with Ingenico Group, the global leader in seamless payment, to bring secure, EMV-enabled unattended payment devices to the market. SlabbKiosks, well known for its customized kiosk solutions, will utilize Ingenico Group’s unattended payment solutions, and become a member of the company’s Unattended Partner Program.
According to Mike Masone, Sales Director at SlabbKiosks, “Ingenico Group’s iSelf series represents a departure from typical payment devices. The solutions were designed from the ground up for unattended environments, and Ingenico Group provides unparalleled support, by making in-house engineering and support personnel available to our customers. These customers are spread across many verticals but their needs remain the same – to have simple and secure payment applications developed for their unattended applications.”
Ingenico Group’s Unattended Partner Program will allow SlabbKiosks to provide secure, EMV- and NFC-enabled unattended self-service payment solutions via its various kiosk models and customized hardware solutions. The Program was designed to facilitate integration among partners allowing them to offer turnkey unattended solutions for a wide variety of uses with secure EMV and NFC payment acceptance built in.
Bruce Rasmussen, Director of Strategic Verticals for Ingenico added, “We’re seeing high demand for unattended payment solutions. Companies such as SlabbKiosks want to protect their customers from post-EMV deadline fraud liability, while enabling consumers to pay using the latest payment methods, including Apple Pay and Android Pay. We’re looking forward to working closely with SlabbKiosks to bring its new turnkey solutions to market.”
SlabbKiosks is a leading international manufacturer and distributor of cost effective, interactive kiosks. The company has installed and customized interactive kiosks for thousands of clients in over 150 countries and distinguishes itself from the competition by offering the latest in technological advancements including the wireless kiosk, while utilizing high quality components with designs that facilitate quick and efficient maintenance of their units.
The Creditcall EMV Virtual Terminal is a convenient way to test your EMV implementation without requiring a physical EMV terminal.
Fortunately the Creditcall EMV Virtual Terminal is designed to emulate an EMV terminal. This makes for a quick and affordable way to test EMV contact and contactless NFC payments in your application without purchasing EMV hardware.
In this article we’re going to cover how to use the Creditcall EMV Virtual Terminal with KioskSimple kiosk software.
Step 1: Register for a Creditcall WebMIS Sandbox Account
This article will cover how to use the Creditcall EMV Virtual Terminal with KioskSimple.
The only configuration necessary is to enter your WebMIS Terminal Id and Transaction Key under the Transaction Settings tab. As you can see in the screenshot below, the Terminal ID and Trans ID (Transaction Key) just need to be populated.
We’ve went ahead and included screen shots of the Device Settings and Server Settings tabs for your reference, but you shouldn’t need to change these values in order to use the Creditcall EMV Virtual Terminal.
Creditcall EMV Virtual Terminal Transaction Settings. The Terminal ID and Trans ID still need to be populated.
Creditcall EMV Virtual Terminal Device Settings
Creditcall EMV Virtual Terminal Server Settings
Step 4: Configuring KioskSimple to Show the Creditcall EMV Virtual Terminal
By default, KioskSimple blocks popup windows and 3rd party applications from running to ensure a smooth user experience at your kiosks or POS.
We’ll want to disable this feature in order to use the Creditcall EMV Virtual Terminal since it’s a 3rd party application.
This can easily be accomplished by changing the setting Enabling Closing Popup Windows to OFF as shown below.
Popup blocking disabled in KioskSimple
Now that we’ve configured KioskSimple to not block the Creditcall EMV Virtual Terminal we need an easy way to switch to it while KioskSimple is running.
I prefer to disable the filtering of the Windows hotkey ALT-TAB as shown below, which allows you to easily switch between open applications.
Disabling the ALT-TAB hotkey in KioskSimple
Step 5: Launching the Creditcall EMV Virtual Terminal
Step 6: Running an EMV Test Transaction in KioskSimple
Once the example is setup, you can take the following steps to launch KioskSimple and run some EMV test transactions.
Select “Try the Demo” and then “Test Mode”.
When you’re done press ESC and any password will work while KioskSimple is unregistered.
Please contact us and we’ll get you up and running quickly. We offer free phone and email technical support for all of our code examples. Try finding that anywhere else in this industry.
We’re dedicated to making your next kiosk or POS project a success and are happy to hold your hand through the hardware integration.
At the annual NRF Conference & EXPO, Retail’s BIG Show, in New York City, Ingenico Group , global leader in seamless payment, announced a new partner program intended to help accelerate EMV and… | January 17, 2016
Version 3.6 of KioWare for Android (Lite, Basic, & Full) now supports Android Marshmallow (6.0). Users running Android 6.0 can now use KioWare to safely secure their tablets or phones to approved websites or applications.
KioWare Basic for Android and KioWare Full for Android (Version 3.6) also include support for EMV certification via Credit Call’s mPOS CardEaseMobile framework which works on Android 5.0 and newer. With support for this framework, EMV certified transactions and refunds can be run on a tablet using compatible devices. For a full device list,visit our website.
KioWare Lite, Basic, & Full for Android also now support native PDF files, allowing PDF viewing. Version 3.6 of KioWare for Android also offers a user agent feature, appending custom text to the browser user agent. This feature allows the web server to detect that a kiosk is requesting the webpage and enables users to set the kiosk display to be different from basic web browsing content. This feature can also be used for analytics and reporting.
Users of KioWare for Android should update their version of KioWare to version 3.6, particularly if it will be securing a device running Android 6.0 or later. Current support is required in order to update.
For a full description of new features for the entire KioWare for Android product line, visit our site.
More than a month after the October 1 deadline, some reports estimate that only a third of merchants have migrated to EMV-capable credit card readers. At the same time, larger retailers say the new standard doesn’t go far enough.
With the arrival of Apple Pay and, more recently, Android Pay, consumers are becoming more comfortable with alternative ways of paying that don’t involve credit card swipes. And now, with the U.S.’s transition to EMV – smart cards that store data on chips instead of magnetic stripes, which offers increased security – many business owners will have to upgrade their hardware in order to support these newer chip-and-PIN cards.
Today, PayPal unveiled its strategy to compete amid all the changes taking place in the payments landscape with the unveiling of its PayPal Here Chip Card Reader in the U.S. The reader now supports not only EMV, but also magnetic stripe cards and NFC, including Apple Pay, Android Pay, Samsung Pay, and more.
As PayPal VP and GM Brad Brodigan explains, consumers today expect to “pay anywhere, anytime and any way they please,” which is why the company needed to enter the game with a multi-functional card reader. At the same time, businesses themselves are preparing for the EMV liability shift taking place on October 1, 2015. At that time, merchants who won’t accept chip cards will become liable for point-of-sale fraud when customers use their chip cards – a strong incentive to encourage business owners to upgrade their hardware. That’s where the PayPal Here reader comes in.
Let’s face it. When it comes to the U.S. EMV liability shift, there is conflicting information about what it is, who it impacts, and even when it actually starts. We’d like to finally put an end to the confusion and equip you with the facts.
In this webinar. our payment experts will address common misconceptions and provide answers to frequently asked questions, such as:
What is EMV?
What does it take to become EMV-ready?
Can EMV prevent card data breaches?
Does EMV ensure PCI compliance?
When is the migration deadline and what happens after that date?
Featured speakers: Greg Burch, VP of Mobility and Business Development, Ingenico Group / North America Allen Friedman, VP of Payments Solutions, Ingenico Group / North America
EMV Myths Debunked – Ingenico Webinar Tomorrow was last modified: January 18th, 2018 by News Editor
If you concern yourself with the kiosk industry enough to read this article it probably isn’t the first time the terms “chip and pin” or “EMV” have come up in your workweek. In this write-up I hope to address some common misconceptions about EMV and how it effects kiosk manufacturers, ISOs, and kiosk business owner/operators. By the end you should have a good idea of what it takes for all of these groups to get their products past the “EMV capable” finish line.
It is not just the hardware:
EMV hardware manufacturers and distributors have spent the last few years focused on educating ISV/ISOs and hardware integrators that EMV is not just a matter of buying a new piece of hardware. A true solution is dependent on a marriage of hardware and software; and as marriages go it also entails a commitment. More on that to come…
EMV Level 1 means that a device physically meets EMV specifications for chip (contact), and in some cases NFC (contactless).
EMV Level 2 means that the firmware on a device performs to EMV processing specifications.
Both EMV Level 1 and Level 2 are the responsibility of terminal manufacturers. This hardware can be described as “EMV ready.”
Level 3 is achieved when a developer marries a device meeting the aforementioned Level 1 and 2 EMV specifications with their software, and commits to certifying it with a processor or processors, and then the card brands. This fully developed and certified solution can be described as “EMV capable.”
The cost and level of commitment:
The cost of this commitment can definitely set you back more than a designer engagement ring, depending on the ring of course. The cost and level of commitment varies greatly depending on the developer’s goals.
A developer can choose to pursue a direct certification with a processor (fully integrated) or decide to use a payment gateway which has already made a commitment to certifying a piece of hardware with a processor(s) (semi-integrated).
Fully integrated vs. semi-integrated:
A fully integrated approach to EMV is a time consuming a very costly endeavor and the end solution is fully within PCI scope. Historically speaking a fully integrated solution can easily take 8 to 12 months to develop and certify. The cost will be well over $100K all-in considering time, tools, and certification testing. Then rinse and repeat for each processor you want to certify with.
A semi-integrated approach allows you to leverage the commitment of another company to complete your solution in a matter of weeks, and at an enormously reduced cost. In addition to the cost factor a semi-integrated solution also allows you to piggyback on your gateway partner’s PCI-DSS compliance. A semi-integrated approach eliminates your need for full-blown PCI and EMV evaluation. In most cases semi-integrated system architecture will allow for a PCI Self Assessment Questionnaire (SAQ) to obtain your attestation of compliance.
I hope after reading this you have a better understanding of why just picking a piece of hardware that meets EMV Levels 1 and 2 doesn’t make a EMV capable solution. The Liability Shift is coming in October and we are here to help you prepare. For more answers to your questions, and for information on middleware available to you, please contact Unattended Card Payments Inc. at (702) 802-3504 or by emailing firstname.lastname@example.org
Industry Insight EMV Kiosk – Getting past the Finish Line was last modified: January 18th, 2018 by News Editor