The official explanation from the vendor is that this was an "anti-fraud security setting".
Can anyone familiar with CC processing provide insight on whether that's a reasonable explanation?
Regardless, a problem that requires a "software fix" from the vendor and manual visitations to each individual machine doesn't sound like a mere "setting"
Or a deliberate security measure. Embedded devices often use Harvard architecture, with separate memory for code and data, so not allowing remote updates makes remote code execution impossible.
I don't deal with PCI personally, so $0.02, but we're talking retail or unattended devices here.
I.e. low wage, minimal training, not technically proficient users with unsupervised physical access to the machine
A machine through which a large amount of cash (virtual or otherwise) flows.
The criteria of (a) being updatable by a semi-technical customer & (b) being secure against technically malicious or socially engineered ignorance attacks seem challenging to simultaneously satisfy.
allowing easy update over usb is its own thread model, lessened with only allowing signed updates. Like almost everything, it's likely these parking meters have terrible security design. the parking meter I use commonly is incredibly slow, every button push takes 1/2 a second to update the small lcd ui, I really wonder what it can be doing to be so slow. It's probably using multiple levels of interpolation to run a js program or something.
Can anyone familiar with CC processing provide insight on whether that's a reasonable explanation?
Regardless, a problem that requires a "software fix" from the vendor and manual visitations to each individual machine doesn't sound like a mere "setting"