[bravo22]

Well, here is my big question: WHY ARE YOU STORING CARD DATA AT ALL? (sorry for the caps). You are a pass-through entity, merchant terminals do not store card data. They keep the authorization number from upstream provider to allow void/refunds but there is no need for them to store the number.

With respect to anti-tamper mechanism, are you FIPS-140-2 certified or plan to be?

[rtanaka]

We aren't storing actual card data encrypted or otherwise. As you said, we are a passthrough as far as the payment portion is concerned. We do store a hashed representation of the card for things like refunds (referenced credits).

Our security subsystem is being built to be FIPS 140-2 Level 3. Complete with tampers seals, switches and a security mesh that will destroy sensitive keys when triggered.