PCI compliance essential for kiosk operators
Kiosks that accept card payments are required to comply with the Payment Card Industry Security Standards Council's data security standards.
The PCI SSC was set up in 2006 by American Express, Discover Financial Services, JCB International, MasterCard and Visa, and is responsible for maintaining and updating the Payment Card Industry Data Security Standard and related card security standards.
Like point-of-sale terminals and ATMs, kiosks have to comply with the PCI DSS, whose purpose is to protect cardholder information from unauthorized access. Although compliance with PCI DSS is costly and time-consuming, requiring annual validation, non-compliance will lead to greater costs in the long run.
Penalties for non-PCI DSS compliance include substantial fines from the card schemes, as well as liability for fraud losses resulting from data breaches, not to mention loss of customer confidence.
"PCI DSS has 12 core requirements, which include encryption, network security, firewalls and access controls," Kevin Connor, director of product strategy at U.S. retail software vendor Retail Pro, said. "For example, PCI DSS requires that kiosks and other payment terminals are physically secure and tamper-resistant, so someone can't gain access through the kiosk enclosure to the computer within the kiosk."
The latest version of PCI DSS, version 3.0, includes a new clause requiring organizations operating payment terminals and ATMs to protect their card readers from tampering and substitution.
In addition to complying with PCI DSS, kiosks have to use application software developed in compliance with the PCI SSC's Payment Application Data Security Standard and encrypting PIN pads complying with the PCI PIN Transaction Security Point of Interaction standard. "Whatever payments application is running on the kiosk must be PCI-validated on an annual basis," Connor said.
EPP approvals under version 1 of the PCI PTS POI standard — also known as PCI PED, for PIN Entry Device — expire on April 30, 2014. This means any kiosks purchased and installed or moved after April 30, 2014 will need an EPP compliant with at least version 2 of PCI PTS POI.
"Other than PCI DSS, PA-DSS and PTS POI compliance, there are no specific PCI requirements for kiosks and other unattended payment terminals," Jeremy Gumbley, CTO at vending machine and kiosk payment services provider CreditCall, said.
"To be PCI-compliant, kiosks should never store payment card numbers locally, and they must have a secure network connection, whether they are using Wi-Fi, a cellular connection or a hardwired connection," Connor said.
"Generally, retail kiosks should not use the store's own Internet connection, because these connections are not secure," warns the KioskMarketplace.com white paper "3 Reasons to Protect Your Kiosk with a Private Cellular Network." The white paper, sponsored by Contour Networks, recommends using a private (non-Internet-based) network, preferably a cellular network, to connect kiosks to payment processors. Private cellular networks are cheaper and allow for greater kiosk mobility than landline-based private networks, it said.
"None of the kiosks connected to CreditCall's payments gateway are connected to public networks," Gumbley said.
"Any terminal such as a kiosk that is connected to a store's back-office system could be used by hackers to gain entry to the retailer's database and steal card information," according to Connor. "If kiosks in the field are connected to the retailer's network, they could be vulnerable."
In 2006, U.S. retailer TJX suffered a massive card data breach, reportedly due to a hacker gaining access to its customer information system through an in-store job application kiosk.
To prevent a hacker taking control of a kiosk, industry best practice calls for the kiosk's operating system to be locked down so that only approved applications can run on the terminal.
A key requirement of PCI DSS is that payments terminals have to be kept up-to-date with the latest security patches for their operating system. Any kiosk still running Windows XP after April 8, 2014, when Microsoft will stop supplying security patches for XP, will be vulnerable to hackers exploiting XP security loopholes and also in breach of PCI DSS.
"Over the next six months, a lot of kiosks will be out of PCI compliance because they are still running Windows XP," O'Connor said.
Running point-to-point encryption technology will make it easier for kiosk operators to achieve PCI DSS compliance, Gumbley said. "PCI DSS intrusion detection and network security requirements are less onerous if you use P2PE."
P2PE encrypts a card number as soon as the card is entered into a POS terminal or kiosk's card reader. The encrypted card number is then transmitted over the network to the processor for decryption. Because the merchant doesn't have access to the security key needed to decrypt the card number, P2PE offers a high level of security and therefore reduces the merchant's PCI DSS compliance overhead, Gumbley said.
"CreditCall's view is that kiosks operate in a hostile environment, where someone could plug in a keyboard or a USB drive or hack into the network connection," he said. "So we encrypt all the cardholder data on the kiosks connected to our gateway using a cryptographic key that is unique to each kiosk. If any information is stolen, it will be of no use to criminals, as they won't have the cryptographic key."
Gumbley said that CreditCall changes its cryptographic keys several times a day to thwart potential hackers.
Tokenization is another security technology which helps protect cardholders at kiosks and POS terminals. In a tokenization system, when a customer uses a card for a purchase, their card number is immediately replaced with a unique numerical identifier called a token. The card number is de-tokenized once it reaches the processor's system. "Because merchants store tokens on their back-office systems instead of actual card numbers, tokenization simplify the process of validating a merchant's PCI DSS compliance," Connor said.
"Tokenization and point-to-point encryption remove or render payment card information useless to cyber-criminals, and work in concert with other PCI standards to offer additional protection to payment card data," Bob Russo, the PCI SSC's general manager, said in a March 2014 statement to the U.S. House of Representatives' Committee on Science, Space, and Technology, Subcommittee on Oversight and Subcommittee on Research and Technology. "These technologies can dramatically increase data security at vulnerable points along the transactional chain."
In March 2014, USA Technologies, a provider of wireless and cashless payment technologies for self-service retail industries, said it had added tokenization to its ePort Connect payments platform.
Apart from greater security, another benefit of tokenization is the ability for customers to gain into each consumer's buying patterns at their self-service terminals. "USA Technologies customers can use the activity associated with token identifiers to track certain consumer trends, such as range and frequency of certain consumers' purchases," the company said.
In the last few years, many kiosk deployers have been using tablets instead of PCs in their kiosks because of the lower cost and increased convenience of mobile devices.
A mobile payments app running inside a kiosk needs to indicate to the end user during the payments process that it is in a secure state, for example by displaying a green checkmark, according to PCI SSC guidelines. Moki said a number of factors go into the determination of the secure state, such as whether or not the mobile device has been jail-broken, whether any peripherals have changed, whether the app configuration has been altered, and whether the device is running the correct version of the app.
Jail-breaking refers to the highly insecure practice of circumventing the operating system controls set up by the device's manufacturer, so that unapproved apps can run on the device. "When a mobile device is jail-broken, there are opportunities for malware to take control of it," Gumbley said. "The problem with mobile apps is that the security solutions for mobile devices aren't as mature as those developed for desktop PCs. This means there is significant potential for criminal exploitation of mobile app security vulnerabilities."
Moki said in its blog that, in order to be PCI-compliant, a tablet-based kiosk must be continually monitored for any suspicious changes to its payments solution.
Robin Arnfield / Robin Arnfield has been a technology journalist since 1983. His work has been published by ATM Marketplace, Bank Technology News, Cards & Payments,Cards International, Electronic Payments International, Retail Banker International, Kiosk Marketplace, Mobile Payments Today, Virtual Currency Today, and The Guardian.