This is page 2 of:
Wal-Mart’s Kiosk Trial Raises Serious PCI, Data Ownership Issues
May 27th, 2009
Wal-Mart this month became the latest major retailer to experiment with self-service kiosks, selling space in 77 stores for units that buy back used video games and issue credits directly to various payment cards. The initial trial is entirely isolated, with the kiosk vendor having access only to its own network and not to Wal-Mart's. But the $375 billion chain is officially considering having the machines offer in-store credits in the form of gift cards, which would mean allowing the kiosks two-way access to POS and potentially CRM data. That would force some serious strategic debate about how far outside vendor kiosks can—and should—be allowed to play inside a retailer's databases.
The initial version of the kiosks collect payment card information as well as drivers license data. Even setting aside the potential future POS/CRM access, the payment and highly-sensitive driver's license data will force some of that debate right away. How secure are the kiosks? Who is ultimately responsible in the event of a security breach, both from a legal and PCI perspective?
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Already a Subscriber? Login Here
3 Comments | Read Wal-Mart’s Kiosk Trial Raises Serious PCI, Data Ownership Issues
Leave a Reply
Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Ed
May 27th, 2009 at 9:20 am
Thanks for exploring these issues. Nice article. My guess is the credit card readers are standard HID and possibly keyboard wedge (though we hate to think that). Something to be said for the new magteks which actually do do the encoding of data at the head and eliminate encoding by software (and uses magensa service to decode). Those options might be gaining momentum just in terms of plausible denial so to speak.
May 28th, 2009 at 7:03 am
In Turkey, credit payment systems are really hard to implement in selfservice kiosk systems. Almost every bank has its own loyalty program and customers are very addictible for them. And also PCI and EMV rules are quite strong in payment systems. So Security and privacy is not first issue but integrity is main problem so as to solve.
May 28th, 2009 at 2:30 pm
Interesting article! Dealing with big box stores can be difficult especially in balancing the visual perception of who is delivering the service in store. Point taken that WM will be on the hook for whatever the kiosk does or does not do, in the eyes of the public. It is essential to mesh the policies of the the host retailer with the policies of the provider. Trust of our clients can not be betrayed at any point or our kiosk projects will definately fail.