Tag Archives: pci

Where is EMV for Kiosks in 2019? An EMV Update

EMV Update – Unattended

The deadline for merchants to bring payment devices into compliance with EMV standards passed more than three years ago, but there are still non-compliant devices in the marketplace.

otiKiosk provides kiosk system developers with an easy and affordable way to integrate a pre-certified EMV payment acceptance solution
otiKiosk provides kiosk system developers with an easy and affordable way to integrate a pre-certified EMV payment acceptance solution

A year ago, KioskIndustry.org published a piece looking at the state of adoption of Europay, Mastercard and Visa (EMV) requirements among kiosk deployers in 2018. The bottom-line findings were that while kiosk manufacturers were stressing the need for EMV-compliant solutions for new projects, many deployers planned to keep current non-compliant solutions in the field until the end of their lifespan.

Now that a year has passed since that analysis, has anything changed? Where do things stand now?

EMV Compliance continues to expand

To recap, EMV is defined as “a payment method based upon a technical standard for smart payment cards and for payment terminals and automated teller machines that can accept them.” EMV “smart cards” store their data on integrated circuits in addition to the traditional magnetic stripes. According to financial services firm FirstData, EMV chip cards transmit a variable algorithm that changes with each transaction, making the data more secure than what’s found on magnetic stripe cards.

Under EMV standards, merchants had until Oct. 1, 2015, to make their payment processing equipment EMV-complaint. If a fraudulent transaction occurred at a merchant who had not upgraded their equipment, the merchant would eat the cost of that transaction along with any fines or fees that might be assessed.

And while EMV standards were relatively clear for in-person transactions, such as those at an attended checkout register at a grocery store, they were a bit murkier when it came to transactions at an unattended device, such as a self-service kiosk.

Although payment card issuer Visa doesn’t break out kiosk-specific statistics, it does track overall EMV adoption. By most measures, the process seems to be rolling along.

As of December 2018, more than 3.1 million merchants now accept chip cards, according to Visa statistics, compared with just 392,000 merchants as of September 2015. There are now 511 million chip cards in circulation compared with 159 million three years ago. Ninety-eight percent of payments accomplished at the end of 2018 were done using chip cards.

In addition, counterfeit fraud dollars dropped 48 percent over the 39-month period, according to Visa statistics, while that figure was closer to 80 percent for merchants who have completed the upgrade.

Still, that doesn’t mean credit-card fraud is going to disappear. According to research by intelligence firm Gemini Advisory, as of November 2018 chip-enabled cards represent 93 percent of the more than 60 million payment cards stolen in the past 12 months, thanks to the lack of U.S. merchant compliance with the EMV implementation.

Other Gemini findings include:

  • 45.8 million or 75 percent are Card-Present (CP) records and were stolen at the point-of-sale devices, while only 25% were compromised in online breaches.
  • 90% of the CP compromised U.S. payment cards were EMV enabled.
  • The United States leads the rest of the world in the total amount of compromised EMV payment cards by a massive 37.3 million records.
  • Financially motivated threat groups are still exploiting the lack of merchant EMV compliance.

In addition, a new type of card fraud is gaining in popularity. Unlike the skimmers fraudsters attached to gas pumps and other devices to capture credit card information (one of the types of fraud EMV was designed to eliminate) a “shimmer,” according to Krebs on Security, fits in the card slot between the chip on the card and the chip reader — recording the data on the chip as it is read by the underlying machine. The fact that the device fits in the slot itself instead of fitting over the card reader, it’s difficult to spot.

Here’s how Krebs described shimming in 2017:

“Data collected by shimmers cannot be used to fabricate a chip-based card, but it could be used to clone a magnetic stripe card. Although the data that is typically stored on a card’s magnetic stripe is replicated inside the chip on chip-enabled cards, the chip contains additional security components not found on a magnetic stripe.

“One of those is a component known as an integrated circuit card verification value or “iCVV” for short — also known as a “dynamic CVV.” The iCVV differs from the card verification value (CVV) stored on the physical magnetic stripe, and protects against the copying of magnetic-stripe data from the chip and using that data to create counterfeit magnetic stripe cards.”

The weakness a shimmer exploits lies with the card issuer as opposed to the payment device.

“The only way for this attack to be successful is if a [bank card] issuer neglects to check the CVV when authorizing a transaction,” ATM giant NCR Corp. wrote in a 2016 alert to customers. “All issuers MUST make these basic checks to prevent this category of fraud. Card Shimming is not a vulnerability with a chip card, nor with an ATM, and therefore it is not necessary to add protection mechanisms against this form of attack to the ATM.”

(If I needed any persuasion that payment card fraud was still a problem, I recently received a call from my bank alerting me that my debit card had been compromised. Someone had used what was obviously a cloned card to withdraw $300 at an ATM 30 miles away from where I live. The bank blocked the card when the fraudster attempted to make a withdrawal at another ATM. A few days later, my son’s debit card was compromised as well. In both cases, the money was refunded to our accounts and the dispute was closed in less than a week. When I posted a comment to the neighborhood Nextdoor social media site about the incident, dozens of people in my area said they had also been victims of payment card fraud. The speculation was that the issue occurred at a nearby convenience store, although nothing was proven.)

The current state of EMV affairs

By all appearances, EMV adoption among kiosk deployers essentially stands where it did a year ago. Deployers seem to be carrying on with existing equipment until the end of its lifespan, with any new deployments.

Part of the reason is likely, as mentioned in last year’s analysis, that the relatively low transaction averaged for many kiosks translates to less overall chargeback risk, which in turn means less incentive to upgrade. Given that risk, it doesn’t make much sense to invest in an upgrade it of the deployer plans to swap it out in a year or two.

“For kiosks we have seen very little in the way of EMV retrofits of fielded kiosks running in mag stripe even though there are surface mount devices well suited to field retrofits available,” said Rob Chilcoat, president, North American Operations with UCP Inc., a provider of EMV-compliant chip-and-pin hardware and payment gateway solutions for attended and unattended card payment terminals in North America.

In addition, some of the concerns about whether a kiosk would be considered attended, “semi-attended” or unattended under EMV requirements may have been overblown.

The Path to EMV
What are some other risks in deploying non-EMV kiosks? Comments from the experts:

  • There are current deployers with standard ecommerce websites using a third-party shopping cart on their kiosks that have no clue about EMV. Kiosk software like KioWare can intercept the shopping cart MSR checkout and perform the EMV transaction; however, they still need the third-party shopping cart to know the transaction has succeeded; ie, we need an API to call. This API is often lacking as most don’t care about kiosks and EMV integration, although it is slowly changing. This is definitely affecting existing kiosks going EMV, but it is also affecting new kiosk projects that had hoped to use their existing third-party shopping cart.
  • If a card data breach is tracked back to a kiosk, the merchant associated with that kiosk would be in hot water. This is why data in the clear between a card reader and a web hosted payment page (the old way of doing things) is such a PCI no-no.
  • Ultimately PCI compliance comes down to the merchant themselves, ISVs want to enable the merchants to use a PCI-DSS pre-certified solution, but that doesn’t completely relieve the merchant themselves from final PCI compliance. Implementing EMV pretty much removes mag stripe data from the environment except in cases where a card has no chip, or the chip is damaged. In the case of a card not having a chip, the issuer of the card would be the least compliant (culpable) party if the merchant is EMV capable. In the event of a damaged chip, this is why it is also important to implement end-to-end encryption, to render malware sniffing attacks unfruitful.

“’Semi-attended’ doesn’t exist as far as the PCI Security Council and EMVCo are concerned; a device is either a Cardholder Activated Terminal (CAT) or it isn’t in their eyes,” Chilcoat said.

“This ‘semi-attended’ term was coined by processors to justify using less costly attended devices at self-checkout and other indoor self-service scenarios where the kiosks are being tended to by an employee of the store,” he said. “This PCI gray area still exists and we do see people ordering attended devices from us for this purpose. We advise against it, but we can’t stop them from doing what they want with a terminal. It really comes down to what the merchant’s processor will allow.”

Still, deployers shouldn’t be lulled into a false sense of security by thinking a low transaction amount means they’re insulated from major losses. Yes, if a fraudulent card is used on a small transaction at the kiosk, it can just be considered a cost of doing business. On the other hand, if someone is able to collect cardholder data at the kiosk and then sell it on the dark web causing massive fraudulent transactions elsewhere, and that gets tracked back to a non-EMV compliant kiosk, it won’t be trivial to a kiosk deployer.

But for new projects, EMV is definitely the norm.

“In terms of kiosks, the biggest thing that’s changed is the move from EMV being an optional form of payment to a requirement for our customers,” said Bruce Rasmussen, director of sales with payment technology provider Ingenico Group.

“Currently we do not have any customers in the pre-deployment stage that are not already planning to support EMV now or in the next phase of their project,” Rasmussen said. “Additionally, merchants are continuing to redefine their customer interface to capture a new segment of the market, and payments continues to play a large role in this transformation.”

In particular, he said, there is a growing emphasis on supporting mobile wallets in payment solutions, which in turn drives demand for EMV contactless. With the majority of legacy cashless options only supporting magstripe transactions, merchants are putting updating their payment solutions to accept contactless at the top of their requirements.

“We see growth in contactless card payments and payments via smart phones driving growth in NFC adoption at the kiosk,” Rasmussen said. “The mandate from the card brands to support EMV contactless payments as of October 2019 is driving adoption for EMV since managing a contact and contactless certification may be the most economical and efficient use of resources to achieve a certification.”

Ultimately, although the process continues to be a gradual one, it’s only a matter of time before the vast majority of self-service kiosks in the marketplace are EMV-compliant.

“In terms of new kiosks, we have not shipped anything mag stripe only for a long time,” Chilcoat said. “I think overall EMV migration has hit a tipping point where chip card payments is the expected user experience and kiosk companies are seeing that and including it in their RFP requirements.”

EMV Update Credits and Members:
EMV References and Article

White Paper – Payment Processor for Kiosks

payment gateway
EMV Kiosk

The Value of Payment Gateways for Kiosks

When a merchant wants to accept payments through their unattended kiosk, they are faced with many processing choices and industry complexities.  Whether forming multiple direct integrations to processors or utilizing one-to-many processing solutions provided by middleware or gateways, kiosk operators and merchants have a lot to consider.

A payment integration to a gateway or processor can require a great deal of time and resources.  Kiosk operators also need to assess ongoing remote maintenance and how to support multiple integrations.  In addition, there are various industry, regulatory and compliance requirements (like EMV and PCI DSS) to follow, as well as value-added security features such as end-to-end encryption or tokenization for recurring payments to consider.  The payment process and user interface must attract and retain the customer through the entire payment process.  As most kiosk users are untrained, transaction abandonment is common with a slow or cumbersome user interface.

This whitepaper will evaluate the benefits and costs of integrating payments via a gateway versus via direct processor connections, plus explore the other potential value points a gateway partner can provide kiosk operators and merchants.

Gateways and Payment Processors Defined

With the payment landscape growing more complex every year, merchants are seeking more sophisticated technologies to help them accept diverse forms of payment and integrate payment data with their other systems, such as inventory management, accounting and more.  Kiosk operators need systems designed for ease of use, speed and security, and payment gateways and payment processors are two of the most widely used solutions for payment acceptance.

A gateway is essentially a secure cloud-based platform that connects credit card payments from merchant points of sale (POS) to their processors, thereby facilitating the authorization and settlement of payment transactions.  Why have a gateway in the middle of this important relationship?  The short answer is for security and flexibility, but the details and other benefits will be expanded below.

A payment processor is a company (often a third party) appointed by a merchant to handle transactions from various channels, such as credit cards and debit cards for merchant acquiring banks.  They are usually two types: front-end and back-end processors.  Front-end processors have connections to various card associations and supply authorization and settlement services to merchants.  Back-end processors accept settlements from front-end processors and move money from issuing bank to the merchant bank.

Pros and Cons of Leveraging a Gateway

Gateways provide several benefits to kiosk operators that are integrating payments into their offerings:

  • A single connection to a gateway leverages that gateway’s multiple connections to many processors, enabling kiosk operators to have more freedom to choose their processor partners and accommodate a broader customer base with very different payment needs.  Connecting once to access multiple payment processors is much more cost-effective and efficient than creating multiple direct processor connections.
  • Access to the gateway provider’s reseller base, which gives kiosk operators connections to potential channel partners and greatly increases growth opportunities.
  • PCI DSS compliance of each processor connection, securely routing card data from the POS system to the processor of choice—again all delivered via the single connection to the gateway.
  • Access to PCI scope-reduction tools, like end-to-end encryption, EMV and tokenization, which limit the kiosk operator’s exposure to handling sensitive card data and potential fraud.
  • Lower upkeep and maintenance costs due to the fact that the gateway provider handles the bi-annual card brand releases and enhancements required by card brands and processors.

The price of leveraging these gateway benefits is typically a gateway transaction fee—an expense in addition to the interchange fees charged by processors.  While the gateway fee is typically nominal, the expense can add up over time as transaction volumes grow.

Pros and Cons of Direct Connections

The main benefit of direct connections is that they eliminate incremental transaction fees typically associated with gateways, because direct processor connections cut out the “middle man” with a select processor.

However, there are additional costs in both funds and time accompanying direct processor connections:

  • Merchant have fewer choices for payment processors—typically only the one processor is directly connected.
  • Kiosk operators are personally responsible for PCI compliance, which is an ongoing and labor-intensive process.  Even when using a PCI DSS-compliant level one service provider, the kiosk operator will still need to adhere to any applicable PSI DSS obligations set forth by their acquirer, based on processing environment, volume of transactions and policies/procedures.
  • It takes a substantial amount of work (and, therefore, cost) to certify and maintain each individual connection, comply with PCI data security standards, and perform necessary updates for card brand and processor bi-annual releases.  This can result in a very expensive, time-consuming and resource-intensive effort for kiosk operators who wish to handle payments processing development themselves.

Integrating with direct connections and certifying EMV transactions for every chosen processor requires several steps, each of which can each take weeks or months to complete:

  1. Submitting and getting approval from the payment processors for an EMV Application Request
  2. Assigning a Certification Analyst and acquiring Magnetic Stripe Reader (MSR) Certification
  3. Completing pre-certification EMV Testing
  4. Completing subsequent EMV certification with individual card brands (These certifications are device- and processor-specific, and separate for Visa, MasterCard, Discover and AMEX)

Repeating this process for each connection is extremely costly to initiate and maintain.  Kiosk operators must certify each desired hardware to each desired processor, and any alterations to the payment application requires a new EMV certificate.

EMV for Kiosk Operators

With the implementation of EMV cards in the U.S., kiosk merchants are seeing improved security for consumers and decreased fraud for merchants.  With these benefits, come a few challenges, the first of which is that kiosks are usually unattended devices.  Since the kiosks are not using a basic POS terminal, an original equipment manufacturer approved for unattended use is needed for Level 1 EMV compliance.  Level 1 EMV compliance relates to the hardware housing the terminal, which must have a higher degree of security to prevent people from accessing the keys to the data.  The next stage of EMV compliance (Level 2) refers to the software. Transactions happen between the POS device and bank exclusively, removing liability from the kiosk operator.  

EMV compliance can be complicated and costly, but it marks a significant shift in liability in the U.S.  Using a secure payment gateway can help to streamline this process for kiosk operators and remove the burden of securing EMV certifications for each payment type.

Other Benefits of Gateways for Kiosk Operators

While direct integration can be time-consuming and expensive, integrating with a gateway provides kiosk operators with several key benefits that reduce ongoing operational costs, labor and maintenance.

  • More Options and Flexibility

Gateways typically enable the ability to connect to more processors than direct connections so merchants have the freedom to choose the partners that work best for their business.  The more connections and channel partners that your gateway provider offers, the more flexible payment options that are available for kiosk merchants.  With customer analytics growing quickly, kiosk merchants can provide a customized experience for their users, including user recognition through card number, email address and more.

  • Top-Notch Security

Be sure to select a gateway provider that has a reputation for top-notch safety and security.  Features to look for include advanced security features like end-to-end encryption, tokenization and hosted payment screens, in addition to EMV compliance for a comprehensive layered security approach.

  • Industry-Specific Solutions

Gateway technology can be tailored for a variety of niche markets like vending, parking, car washes, golf courses, and ticketing, plus a wide array of traditional payments terminals, so look for a provider that meets your specific vertical market needs.

  • Semi-Integrated Solutions to Save Time and Effort

Semi-integrated solutions allow kiosk operators to add EMV support quickly and easily using their existing payment solutions, saving significant time, effort and resources.  EMV reduces the liability for kiosk merchants, shifting more liability to the cardholder’s bank, significantly reducing risk to the kiosk merchant.

  • Increased Growth Potential

Gateway providers sometimes have a large reseller base.  For those that do, granting kiosk operators access to the gateway’s reseller base gives those kiosk operators connections to potential channel partners, greatly increasing growth opportunities.

  • Speed & Service

Gateways should provide a consistent level of service to enhance the payment process for the customer.  Speed of a transaction is especially important during heavy use.  A slow system can drive customers away during the payment process and reduce the sales volume. Kiosks must be able to function well at a high volume without the system slowing or shutting down.

  • Dynamic Routing for Fast and Easy Payment Device Management

Gateways should feature dynamic routing across platforms and services, meaning devices are boarded once and can send transactions anywhere.  This consolidates payments and data from different platforms into one simple, easy-to-use interface, and translates across reporting, risk management and billing for all devices, which dramatically reduces the work required to maintain these connections.  As kiosk users are generally untrained, a fast, reliable experience is required to maintain current users and gain new users. Sales are often abandoned due to system delays or an interface that is not user friendly. Look for a gateway provider that allows acquired portfolios of devices to easily be added, and supports functions like recurring billing.

  • Preferred Rates

Some gateways can convey preferred rates for small-ticket Visa and MasterCard transactions, further validating the ROI of connecting to a gateway, especially for kiosk markets with lower average sales tickets.

  • Flexibility to Support New Technology

Gateway providers continually add support for new payments technologies as they emerge, which helps future-proof solutions and keep them compliant with updated PCI regulations.  Ensuring the kiosk merchants can utilize the latest mobile options, such as Apple Pay, Wallet and more with a future-proof solution.

Which Integration Path is Right for You?

Establishing and maintaining individual connections with processors may seem more empowering and cost-effective at first glance, but it can be quite costly and resource-intensive over the long term.  Many payments solution providers are turning to gateways to provide their merchants (and customers) with more options.  However, each kiosk provider or merchant must weigh the pros and cons, and choose an integration path that works best for their business.

By Justin Passalaqua
Director of Sales at Apriva, LLC
jpassalaqua@apriva.com
(480) 423-7724

For more information on payment gateways and processors visit Apriva website.

UCP has Ingenico iUC285 Beta units

iUC285 Ingenico EMV Reader for Unattended Self Service

Unattended Card Payments Inc. Begins Shipping the iUC285 in the U.S. As main Ingenico VAR for unattended hardware, UCP Inc. announces they have received first shipment of iUC285 beta units.

Source: www.ucp-inc.com

These units are designed for unattended and are being certified with multiple processors as we speak.

Here is spec sheet.

iUC280 product info