Developing an open source terminal, which readily accepts new payment applications for loyalty, inventory management and appointment setting might be an anathema to a properly hardened PCI compliant device. The PCI Payment Card Industry Data Security Standard (PCI DSS) is a technical standard directed at protecting credit and debit card debit cards, commonly referred to as ‘cardholder data’. By securing cardholders data while processing, in transit and at rest, we can lower industry costs and build credibility within the Card Networks and consumers.
The industry has been left perplexed, however, by the FBI raid on a PAX location. As reported in PAX’s press release:
“On 26 October 2021 (Eastern Standard Time of the United States (the “U.S.”)), officers from the Federal Bureau of Investigation (FBI) and the Customs and Border Protection of the U.S. executed a court-authorized search to seize certain items at the Florida office and warehouse of Pax Technology, Inc.”
PAX’s press release maintained that its products remain fully PCI compliant:
“The Group’s products and services are subject to, and are certified to be compliant with, the Payment Card Industry (PCI) compliance standards and all relevant laws and mandatory regulations of countries worldwide. They are therefore designed to achieve the requisite industry standards for certain cybersecurity (including online security in connection with malicious software).”
It is important to note that PCI compliance is meant to cover very specific cardholder data which is processed, printed, stored, or transmitted. Loyalty and GPS data might well be sensitive data, but it is not within PCI scope.
Best of breed
Android terminals are critical to FinTech providers and platforms. They will integrate their solution to a secure open source device in a manner which renders their software out of scope while still passing less sensitive data. Integrating to an open source architecture can maintain expenses as opposed to utilizing similarly functioning iOS devices and tablets while allowing for faster time to market and maintaining functionality within the terminal.
A smart terminal may have various apps in addition to the payment app. The Clover Mini, for example, is a full POS touch screen but operating on a device which is slightly larger than a normal terminal. Clover allows developers to introduce apps to expand the device’s functionality. These apps can track inventory, maintain employee records, support customer engagement and dynamic discounting while providing ubiquitous and instant customer reporting.
All in one devices like the Clover Mini and Poynt’s terminal have tremendous advantages over semi-integrated devices. The terminals are innately paired with the POS and does not need an imperfect technical solution to discover and pair. The hardware costs are much less, and the devices are mobile.
The road ahead
As we minimize magstripe cards, the actual PCI data is becoming relatively less valuable. Magstripe data, while still available, is less prevalent and the inherent security within EMV cards is decreasing the potential for counterfeit cards. PCI will continue to exist and be necessary, regardless. The size and growth of card not present transactions is enormous, and the fraud is beyond borders. It does, however, increase the value of out-of-scope data, which when paired with card data, allow for a never-ending supply of valid card numbers and credentials.
Module B of the Standards Terminal Software Requirements state under Additional Considerations (emphasis in italics added):
“Some assessment procedures in this module require examination of documentation describing the security features and functions of the underlying payment terminal. The terminal software vendor should work with their assessor(s)—as well as the respective payment terminal vendors for each of the devices to be included as part of the terminal software evaluation—to identify and compile all device documentation needed for the terminal software evaluation.”
Obviously for the payment application to maintain its integrity, the actual hardware needs to be considered for intrusions and jailbreaks. Moreover, much more of the data should be considered highly sensitive, even if it’s not PCI data and the apps and hardware should be designed with that in mind. PCI will likely not expand its scope and mission.
It was designed by the Card Networks to protect cardholder data and provide the Card Networks a framework to which they could hold their members. Privacy laws, however, are ever evolving and are overlapping jurisdictions. Platforms and app developers would be wise to manage all data associated with a transaction as sensitive and fully understand the vendor’s suppliers and servers the data may be allowed to interface with.
Card terminals will always be a target. Card data will continue to be sought after. PCI data must be treated accordingly. The increase in open source terminals however adds both flexibility and functionality but comes with added risk. This risk needs to be considered and evaluated in order to maintain the integrity of your solution.