[rtanaka]

A very valid concern.

To begin with, while our terminal is Android based we have taken numerous steps to lock this device down. Side loading apks is not possible nor is arbitrary access via adb. On top of that, we take great lengths to protect consumer data. In addition to full PCI compliance data is fully encrypted on the device. And if that's not enough, there are several anti-tamper mechanisms that will trigger and lock down the device even further upon physical instrusion.

In terms of physical theft we are actively looking into an option to physically secure the device (think kensington). Our plan is to have a good solution for this before our merchants go live.

[bravo22]

Well, here is my big question: WHY ARE YOU STORING CARD DATA AT ALL? (sorry for the caps). You are a pass-through entity, merchant terminals do not store card data. They keep the authorization number from upstream provider to allow void/refunds but there is no need for them to store the number.

With respect to anti-tamper mechanism, are you FIPS-140-2 certified or plan to be?

[rtanaka]

We aren't storing actual card data encrypted or otherwise. As you said, we are a passthrough as far as the payment portion is concerned. We do store a hashed representation of the card for things like refunds (referenced credits).

Our security subsystem is being built to be FIPS 140-2 Level 3. Complete with tampers seals, switches and a security mesh that will destroy sensitive keys when triggered.

[efiftythree]

Assuming that someone managed to not only walk off with the device from a retailer but were also able to gain access to the device itself. What kind of data could be harvested from the device?

[fayez]

First things first; the card data is encrypted on read and the device will soon be PCI certified. So none of the card data will be accessible to anyone on the device.

The transaction data (amounts, items, transaction statuses, etc) is managed by the PoyntOS (owned by Poynt). That data has the necessary authentication and authorization around it to prevent just anyone with the device from having access to it. Only a merchant user logged into the app and with the appropriate level of privilege will be able to access the data.

Finally, 3rd party applications will go through a strict vetting process and will be signed. Therefore, it will not be possible for some fake app to work on the device. Also, PCI requires us to constantly monitor the installed application for any kind of tamper.

[efiftythree]

Thank you.

[luisbebop]

You are not PA-DSS or PCI certified. Where are the links to your letters of approval?

[rtanaka]

We are in the process of both PA-DSS for our cloud services and PCI approval for the device. This is the primary reason we are not shipping to merchants until next year. We have line of site to certification and we would not (and can not) ship to merchants until this is complete.

[luisbebop]

Afaik you should have PA-DSS to your app running on top of the Android OS that btw is not PCI. Just PA-DSS to your cloud services considering the architecture you are proposing is not enough. PCI-PTS to your hardware is another problem you are going to face in your certification because you are using a touchscreen 'pinpad'.

[fayez]

It wouldn't be fun if all this was done before. This is uncharted territory and we are not taking it lightly. We have involved the right talent (some payment industry experts) and have designed this carefully. We are confident that we will pass all certifications necessary to satisfy everyone (including our own high standards).