POS and PCI DSS Compliance – Opinion

By | December 6, 2022

POS and PCI DSS Requirements

We recently did an article on Grocery Stores, Self-Checkout and Accessibility. We also echoed this article on LinkedIn.

Here is additional viewpoint on the complex issue.

I have been covering recent new articles on accessibility and supermarkets.

I like POS devices, however, there are two classes of them (according to PCI SSC). One is your usual attended Verifone/Ingenico which barely supports audio but provides nice graphics. The second is the OEM mount which is CAT-certified (Cardholder Activated Terminal). It costs a bit more than its more common tabletop counterpart.  In previous years the installation and servicing of OEM CAT terminals had the PCI requirement that it be done under the principles of split knowledge and dual control in order to commission the devices into service. This carried an increased cost in both tools and labor. The PCI-SSC removed this criterion in PCI-PTS Version 5, which is the specification that governs credit card payment hardware.

If unattended the OEM is supposed to be used. Typically unattended and unassisted.  Think of Mcdonald’s kiosks mounted on the wall facing airport passenger traffic.

McDonalds Airport Kiosk

Click for full size – McDonalds Airport Kiosk

VISA and Mastercard are supposed to impose penalties for use of attended terminals in unattended mode, but, the big boys negotiate liability mitigation conditions allowing them to use a single device enterprise-wide (including unassisted/unattended). In the eyes of the PCI Security Standards Council, which is made up of industry professionals from participating companies such as Visa and MasterCard, there are only attended and unattended terminals. However, some large retailers have successfully lobbied their credit card processor to allow for the use of attended devices on self-service kiosks. In these instances the processors have given conditional approval based on the understanding that an agent of the merchant who is responsible for the health and security of the kiosks be present and available to assist users. They coined this gray area “semi-attended.”

I should probably check in with RNIB and see if they have made any progress on “Pin on Glass”. Pin is a much bigger deal for UK.  It gets complicated quickly as you can’t just call out the digits security code depressed. RNIB has been struggling with this for years to no avail. New biometric authenticating cards are making their way to consumers. This obviously would be great for visual impaired people as they would no longer need to enter a PIN number. The card does a thumbprint read. See here: https://www.yahoo.com/now/stmicroelectronics-achieves-emvco-certification-biometric-140000383.html — Here is the PDF on “Biometric System-on-Card” by ST.  For more information on POS solutions like this we recommend contacting David or Rob at UCP Inc.

Normally PIN is entered via the pin pad POS device for reasons of PCI. PIN numbers should only ever be entered into a PCI-PTS-approved payment terminal. The PTS stands for PIN Transaction Security.

In 2021 the Ingenicos incorporated polyphonic into POS devices (rather than just a beep). Better describing or narrating the type of transaction either POS device or via API to touchscreen (think supermarket checkout and cashback) would be step in the right direction.

Meanwhile, QSRs/etc get to ignore regulations on the one hand with a device that is the key/crucial 2-part equation in tandem with a touchscreen/application.

They all like to push that nonsense into the convenient deflection bucket of “well, kiosks are essentially unregulated and manufacturers don’t include accessibility”. Fact is supermarket checkouts are only “kiosks” in some figurative/functional sense. They are NOT kiosks made by kiosk manufacturers. Much easier to pick on them than cross up big potential client like Walmart or Kroger.

Fact is Walmart/Aldi/Tesco/Kroger are fine-tuning their hybrid “customer-facing” POS systems for maximum speed of transaction, lowest cost, and relegating accessibility litigation to the “cost of doing business” accounting column.

And don’t forget that debit cards in the U.S. are still the dominant credit card, and also least likely to include the contactless capability.

If those writers really wanted to finger the offenders in supermarkets, they should start with the Walmarts/Tescos/Aldi/Krogers of the world and include “enablers” such as NCR and Toshiba.

Accessibility Advocates Are Missing The Bus

Another problem is that accessibility advocates tend to spend all their energy on websites and informational browsing.  That relates to WCAG and W3C and while important, it should not swallow up all the oxygen.  Making it easier for the disabled to pay for things is going to increase those metrics and major corporations care about information, but they care a lot more about revenue.

US Access Board Comments

For more information on NCR’s stance you might want to read their ATBCB-2022-0004-0054_attachment_1-NCR-compressed to U.S. Access Board ANPRM in November 2022.  Another point of view is by American Banking Association ATBCB-2022-0004-0060_attachment_1-ABA which seems to discourage any improvements in accessibility.

Related — New Grid overlays for visually impaired consumers available for Ingenico Self-series terminals

More Posts