I have been very disappointed, reading about your article in the January 2015 issue of Parking Today on page 14. The article discussed the recent Datapark – PCI related breach that has occurred in over 80 locations across the US.
The overall issue is that manufacturers of PIL/POF equipment fundamentally ignore the fact that someone along the way has to be the credit card processor. Typically the manufacturers “brush off” inquiries and refer to their PCI PA-DSS certificate – they had to obtain to even be able to process credit cards (and for the merchant to obtain a merchant account from their clearing house). What they don’t mention is that the actual deployment of any such system has to meet or exceed overall PCI DSS 3.0. This is a much more difficult task as we are now talking about segregated networks, quarterly vulnerability scans, centralized logging and monitoring, proper password and access management. No-one seems to really understand that practically 9% of all deployments of PIL/POF equipment in North America are not PCI DSS compliant.
The merchant is typically who has to deal with it as the merchant is on the hook contractually with card brands via the clearing houses.
PIL/POF manufacturers ignore the fact that there are solutions out there that would address the issue(s). The multi space pay stations guys showed them how to do it – years ago! Another method would be the use of a P2PE encryption service for the card reader – i.e. CreditCall or Transaction Services can provide such feature.
Let me know if you have further questions, thanks,
Christoph Jan Sepp
Director, Business Solutions
Impark