PCI DSS and Regulatory Compliance Blog

Kiosks and PCI

June 4th, 2008 Posted in PCI DSS

Someone asked me a great question today about edge-case-PCI situations.  The question involved kiosks and their adherance to PCI DSS compliance. We know that kiosks can be just like any other point-of-sale (POS) if they are used as such.  That’s the operative term - how are they used?

Some kiosks actually are POS systems that exist in-line with other POS systems.  These could include self-service POS stations that must be secured and treated just like any other POS.  This is the simplest of scenarios.

Let’s now say that the kiosk exists on the cardholder data environment but is only a web browser that has assess to one web page - the merchant’s e-commerce website.  This system is not meant to be an actual POS but more of an Internet access terminal - that can only access one site.  But if it’s connected to the cardhodler data environment then it would be considered in scope for the PCI DSS audit.

But what if there is no merchant?  What if your kiosk is an Internet access terminal in a mall that can only access 10 different e-commerce sites (from merchants resident in the mall.)  Does this system have to be PCI compliant?  Sure it’s a dedicated e-commerce browser but there is no merchant ID or service provider to adhere to the requirements.

I think the lines of what is a POS and what is not are going to blur in the future as companies deploy more and more of these systems.  Companies will realize they need less and less of the cardholder data and will move towards system that eliminate the data rather than store-and-secure.

Update: 7/30/08 the PCI SSC released an update adding two new device listings to the PCI PED program.  These are “Unattended payment terminals (UPTs) and hardware (also known as host) security modules
(HSMs)”.  As Walt Conway points out, UPTs are basically Kiosks.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 7 Responses to “Kiosks and PCI”

  2. By Fred on Jun 5, 2008

    Ahhh, but what you’re forgeting is that ATM machines are a kiosk and banks need to ensure they meet PCI compliance - ATMs are typically managed by a 3rd party relationship, are an older OS and are not necessarily hardened. They do carry customer data and transactions. With the number of card skimming incidents - it is a wonder that the those Banks that are “PCI compliant” have not addressed this - Wells Fargo is the only bank that has publicly voiced the concern of Diebold/NCR practices

  3. By EK on Jun 5, 2008

    I ran into almost the exact situation that Michael mentioned once. A kiosk which provided a web browser and access to a single web site (the merchant’s e-commerce site).

    The merchant had, in my opinion, set things up properly. The kiosk was on a separate network from the store POS. The kiosk was hardened and the network it was on had a tightly configured firewall.

    After looking at it all and wondering how to assess it I realized that if you look at it from a more general point of you you need to ask. How is that kiosk really any different than an Internet cafe or someone’s home computer?

    In the end, we kept the kiosk in-scope because the merchant wanted it reviewed.

  4. By Tim Holman on Jun 6, 2008

    I would say an ATM is in scope as it is directly connected to the cardholder network and that a kiosk as mentioned in the standard refers to a publically available device that is directly connected to the cardholder network. For example, an e-ticketing machine, parking meter etc.
    An internet enabled machine in a web cafe or mall isn’t a kiosk to the true intent of the standard.

  5. By DW on Jun 6, 2008

    Do you think that kiosk software, such as Provisio SiteKiosk, needs to be PCI compliant if set up as mentioned above (kiosk provides web browser w/ access to single e-commerce site)?

  6. By MBridge on Jun 7, 2008

    If a web facing kiosk that can access merchant’s sites needs to be PCI compliant, then shouldn’t every computer at Kinko’s as well? They can all access any web-site on the Internet including merchant sites. This does not seem to be a good case for needing PCI compliance.

    The issue it appears is really about those kiosks that also sit on the POS network as the author stated. Those should be treated as any other POS device.

    The question should then also be about the physical security of the devices. If they are at a mall for example then odds are a mall security guard has no idea who should be accessing the machines and in what manner (unlike ATM machines at a local bank).

    Today this is not such an issue. In the future however we may see a major increase in this type of kiosk based on how efficient they are for merchants and retailers.

    http://www.mbridge.com

  7. By Michael Dahn on Jun 10, 2008

    Fred and Tim, I agree and ATMs are within scope for PCI DSS compliance. What some people forget is that they are also in scope for PCI PIN compliance as well.

    ATMs and debit transaction systems are like the wild west of payment systems. Yes, people are securing them, but due to the large number of resellers and managers they are hard to standardize. So far most attacks have been at the POS but more and more attacks have and will occur at the PIN pad device.

    We need to be aware and watchful - and have a PCI PIN audit annually.

  8. By Michael Dahn on Jun 10, 2008

    EK, if that kiosk was properly segmented from all in-scope networks you could have removed it, but I’m glad the merchant wanted it reviewed. :)

Post a Comment