[TomMarius]

Most (European) terminals don't even proxy to computer, they're completely independent devices connected to wifi that communicate directly with bank. The connection to computer is used only for "1 EUR" and "OK"/"FAIL" kind of messages and are completely optional.

[dogma1138]

Even on P2PE terminals the PoS is in scope of the PCI-DSS if not the PA-DSS certification (alright I’m not sure how any PoS vendor will fly without PA) as they do (or can) pass some CHD through it even if it’s not the card numbers or the track data.

CHD under the PCI standards also covers PII card holder information which does reaches the PoS for handling refunds, managing promotions, club membership etc.

Even vPOS applications like those tiny card readers that hook to an iPAD as the PoS do a lot of leg work despite of them being P2PE. They check for root, they check for iOS version (security update) they check for proxy etc. That’s all part of the PA-DSS certification for the application developer.

While it’s possible that a retailer who’s big enough so VISA can’t say we won’t gonna allow you to take payments with our cards, and the fines are smaller than the cost of adopting compliance to use these.

I wouldn’t imagine any PoS vendor even going with that since it would essentially put them at huge risk from both the PCI standpoint and general reputation damage.

As for certifying these there isn’t a single PA or PCI-DSS QSA out there that would accept ReactOS as a useable operating system because if something goes wrong the QSA is liable if they certified something they shouldn’t have.

[TomMarius]

No, you don't understand me. The terminals I'm talking about are completely independent, a computer is a peripheral to them, not the other way around (that's how it is with the ones you're talking about).

These are specifically marketed by banks as not requiring any certifications of the PoS.

[dogma1138]

Those are P2PE terminals which can be used in this manner but it’s not upto the banks who offer them to define that.

If the acquirer bank and the QSA accepts that your use of these terminals is sufficient then sure go a head but that means you don’t intake any PII via the PoS and you don’t use the credit cards to identify members and don’t use those terminals to scan non CC based membership cards, and you have no PII at all which means handling things like refunds and warranty is also not done via the PoS.