3

When I walk into some businesses, I see them using Shopkeep on an iPad.

I don't understand how this is PCI compliant, as the iPad itself would be in scope, and it can send unconstrained traffic to the internet. Having any device running a full OS connected to the internet at large seems like a vulnerability.

Perhaps reframing my question... how can any of the systems that involve swiping a card through a device connected to a tablet be PCI compliant? This seems to violate common-sense security practices where you want to keep the attack surface as small as possible.

In case this gets closed for calling out a vendor, I actually called Shopkeep to better understand, and they could not provide a suitable answer. In fact, I was told that the iPad would not be part of the card data environment, but that's false by my reading.

ToBeReplaced
  • 223
  • 1
  • 4

4 Answers4

3

Well, the first thing you'd do is put the iPad in "Guided Access" (single app mode) so that the only app that can be used is whatever point of sale software you've got on there.

Next, put it on an isolated network segment that doesn't have external access and is properly secured, and you can actually have a pretty secure setup. At least as secure as typical point-of-sale systems, which are quite frequently lower-spec PCs running Windows.

Finally, there are a lot of MDM (mobile device management) systems and iOS configuration management systems out there to lock them down further. As mentioned previously, many point of sale systems are actually Windows PCs. If you can lock those down to make them PCI-compliant, why wouldn't you be able to do the same with a device running a different operating system?

HopelessN00b
  • 3,385
  • 19
  • 27
  • I (incorrectly) assumed that PoS providers had all aspects of their systems certified; both the hardware and the specific combination of operating-system-and-vendor-supplied-software. Network segmentation and guided access sound like good ideas for any staff application, even if they aren't handling cardholder data. – ToBeReplaced May 31 '16 at 05:29
3

Encryption at Card Swipe protects the iPad from being in scope.

A lot of card swipe hardware these days is configured to encrypt the card details using the public key of the card processor. The iPad simply passes the encrypted blob along; the merchant and the iPad do not have the private key required to decrypt to blob. Therefore, the merchant is never handling unencrypted card data and the iPad is not in scope.

Consider this text from the Shopkeep-recommended iDynamo 5 Lightning (emphasis mine):

Securely accept credit card payments with this small reader that connects directly through the charging port of your iPad 4, Air or mini

This reader works exclusively with ShopKeep and encrypts transactions at the point of swipe for maximum data security.

Now, not all card readers do this. And for those the merchant is responsible for doing what's necessary for protecting in-scope systems. It's fair to say that a PCI-compliant iPad card station won't be "connected to the internet at large..." How that's achieved is a matter for the merchant.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • So, transmitting encrypted card data without access to a decryption key is out of scope? Is there a specific reference I can use? The following gets part of the way, but only talks about storing the data, not transmitting it: https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Is-encrypted-cardholder-data-in-scope-for-PCI-DSS? – ToBeReplaced May 31 '16 at 05:26
0

To be PCI Compliant with Shopkeep POS system, one should follow the below steps.

  1. Every retailer should have pos security which doesn't store any cardholder data and stay away from the point of sale malware.

  2. Next is choosing a PCI compliant web host which would provide virtual private or dedicated server which protects customer data being stolen.

  3. Using dial-up terminals instead of IP terminals, using a separate network for payment process which would also make your shopkeep PCI compliant.

  4. Securing Mobile Card readers

emily lauren
  • 1
  • 1
-1

i really don't see what confused you. this is another form of POS device that needs to be managed according to the requirements described at the PCI requirements.

Why do you think it's different from any other cashier that customers swipes a card through ?

BokerTov
  • 539
  • 4
  • 10
  • The confusion for me was "how come it is okay to have PoS system where the user can do all of these other things that could compromise the device's security"? As an example, a Verifone VX520 over a phone line would be clearly different, as its software is provided by the vendor and cannot be modified by the user. Moreover, it is not transmitting via TCP. – ToBeReplaced May 31 '16 at 05:32