Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That's not correct the QSA will validate that the device does not store PIN codes or the that the merchant does not store anything they are not allowed.

Devices that accept cards need to comply with PED/PTS security requirements including very strict physical security requirements which are validated by PCI council approved laboratories and firms.

You are not getting a device on the market or usable with any merchanet network without complying with this: https://www.pcisecuritystandards.org/documents/pos_ped_secur... and a few other standards.



About that, I can only say that Chinese android POSes do everything in software, for sure, without any hsm present.

The question is, how Chinese banks coax Visa into allowing them using them.


The POS and the PED/PTS isn't the same thing the POS can complete the transaction without touching the credit card in fact most of them do exactly that the only thing that it does is communicate with the PED/PTS to send the amount and get a confirmation/denial.


Simple greed? As in: "play ball, and you get access to the gigantic Chinese market"


Probably it just goes through as a card not present (CNP) transaction?


So you mean it first authenticates the pin, and initiates CNP after? Never thought of that as possible.


It's not CNP doesn't use the pin it uses the CVV2, you also can't use the chip and pin or track 2 swipe data for a CNP transaction.

I think the GP is confused on how a POS works, POS isn't a POI most of them don't touch the credit card they just talk to the reader, most readers today are P2PE closed loop solutions so the only thing the POS does is sends to the reader charge the next card $X the reader will then reply if the transaction went through or not and that's it.

The reader itself will talk to the acquiring bank or the payment provider in a point to point encrypted closed loop and the merchant would never see any credit card details.


Second this, after having to go through a service level 1 DSS review for a few years. Lower level reviews (3,etc) just require self validation.


SAQs don’t involve QSAs. They are also intended for merchants which are a rounding error also there is no SAQ for PA, PED, PTS etc. certifications only for merchant PCI-DSS.


You can totally fake your way through PCI audits. I know of a company that did it for years using a fake network and servers. Not sophisticated at all. Most auditors do not find all of the compliance violations. They have one person do it. It's all about money.


You can fake a lot of things so what? That’s not the point, also PCI DSS is pretty crappy but the hardware vendor, payment provider and P2PEE certifications are a completely different story good luck faking it.

Sure you can send fake devices to be certified and sell something completely different but the same can be said for any certification and if you get caught boy or boy...


Wrong. PIN codes are entered into a damn mobile app and passed through an API. Billions of times per day. You guys are clearly missing the card serciving aspect of the industry.


Please show me the device that transmits the pin of a chip and pin card to an API while not being compatible with PED and P2PEE requirements.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: