KioWare and PCI Compliance

  • Type: White Paper
  • Author: Jim Kruper
  • Date: January 2013
  • Download PDF

The following is a truncated version of our PDF guide listed to the right of the article. Please download the PDF on the right for our full Implementation Guide. --->

Introduction

For deployers handling credit card information, the question of PCI compliance is a primary concern and when KioWare is part of their solution, we are asked whether KioWare is PA-DSS validated. On June 29, 2011, the PCI Security Standards Council (PCI SSC) published a list of requirements meant solely to minimize the number of applications eligible for validation under PA-DSS. The second item on their list directly affects KioWare:

"#2 – Does the application handle cardholder data, but the application itself does not facilitate authorization or settlement?"

What Does This Mean?

Interpreted broadly as they have, the above requirement makes it impossible for KioWare, or any kiosk system software, to be PA-DSS validated. Despite KioWare being successfully evaluated to PA-DSS testing standards, the PCI SSC now believes we don’t need to be validated. We believe this to be very short sighted because it provides an easy out for both unscrupulous and ignorant deployers and software vendors. By not being certified, software vendors are not required to publish an approved PA-DSS Implementation Guide which details to deployers everything they need to know to ensure PCI compliance.

Why the PCI SSC believes this policy is good for industry-wide PCI compliance is hard to understand. The only guidance PCI SSC provides is that applications ‘not eligible for PA-DSS validation would be included as part of an entity’s annual PCI DSS assessment to ensure that the application is compliant with all applicable PCI DSS requirements.’ How an entity is expected to perform that task is left unanswered. We think the credit card payment industry deserves better.

On the one hand, the fact that many of the PA-DSS requirements don’t apply to software such as KioWare may be a reason for the PCI SSC’s decision. But on the other hand, there absolutely are ways to implement KioWare that are not PCI compliant and it is only by following the KioWare PA-DSS Implementation Guide that a deployer can be certain that KioWare is contributing to their overall PCI compliance – not hurting it.

How to Cope?

Until the PCI SSC revises their policy, deployers should only work with software vendors who have had their software evaluated by a qualified Payment Application testing lab to the same PA-DSS standard as if they were submitting to the PCI SSC. This will ensure that a valid PA-DSS Implementation Guide exists. For deployers, this will be more difficult because they can no longer search one list for all approved applications, but now must individually query vendors who are not on the list. And as alluded to above, it will be easy for an unscrupulous software vendor to dupe unsuspecting deployers, and equally easy for unscrupulous deployers to pass the buck.

Refer to the PDF which has an attached letter of validation from our certified Payment Application testing lab as well as our PA-DSS Implementation Guide for more information about using KioWare in a PCI Compliant system. For more information on the PCI SSC’s position, see https://www.pcisecuritystandards.org/documents/Applications_Eligible_for_PA-DSS_Validation.pdf.

Summary

Until the PCI SSC reverses their position and allows KioWare (and similar software) to be PA-DSS validated, deployers should only work with software vendors who have had their software independently tested to PA-DSS standards and include a PA-DSS Implementation Guide. If there are any questions about the Implementation Guide, contact the software vendor before deploying into production.

[PDF Implementation Guide updated 3/22/2012]

Want to know more about accepting credit cards? What Will US Retailers Learn From The UK's Early Adoption of Chip & Pin Technology sheds light on the EMV payment system.