PCI Out of Scope EMV Compliant Jewelry POS - How It Works

As mentioned in an article last month, version 6.0.0+ of BusinessMind Software for Jewelers POS module supports integrated EMV payments via terminals available through a certification with TSYS Merchant Solutions.

An interesting fact is that the integration mentioned above is also out of scope for PCI. While integrated card payments have always been available in the BusinessMind Jewelry POS, this latest release is a leap forward in terms of offering ease in dealing with both PCI and EMV. Here is a look at how it is different.

The Old Way

In the past, most jewelry POS integrated card payment systems consisted of a USB connected card swipe, a merchant account, and a connection to that merchant account from the POS, usually over the internet.

The basic process went something like this:

1. The sales clerk swiped the customer's card. The reader sent the data in the card's magnetic strip to the POS.
2. The POS read the track data and constructed a Payment Authorization Request.
3. The POS sent the Payment Authorization Request to the Payment Gateway.
4. The Payment Gateway processed the payment request and returned an authorization or a decline response to the POS.

The issue with this method (besides EMV) is with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS requires all companies that handle card data in any way to maintain a secure environment. However with this method, the card data is exposed at various steps making it easy to steal by hackers, disgruntled employees, etc, hoping to sell or use the card data for personal gain.

In an effort to limit this in recent years (pre-EMV), many merchant account providers redesigned their gateway interfaces so that card data would be submitted in an encrypted format. In this approach, the merchant account provider would supply to merchants, card swipes which were pre-injected with secret encryption keys. The role of the POS software remained roughly the same except that the data it received from the swipe was encrypted and passed along to the payment gateway as part of the payment authorization request. While this made things better in terms of PCI DSS, it still contained vulnerabilities.

The New Way - Out-of-PCI-Scope, plus EMV!

With the latest implementation of integrated payments, payment terminal devices replace card swipe readers and are sourced from the merchant account processor. These terminals typically have screens, keypads, and may also support signature capture and other features (NFC, Apple Pay, etc). Most importantly, they are programmed to communicate, in an encrypted format, from the card scan point, direct to the processors gateway without any intervening routes or systems. Handling POS integrated payments now goes something like this:

1. The POS initiates a request for payment to the Payment Terminal Device, indicating the required amount.
2. The Payment Terminal Device uses its screen to prompt the customer to scan their EMV capable card and confirm to proceed with the payment authorization. If a pin is required, the payment terminal device will also prompt for it and allow the customer to enter their pin on the keypad.
3. The Payment Terminal Device sends a Payment Authorization Request to the Payment Gateway.
4. The Payment Gateway processes the payment request and returns an authorization or a decline to the Payment Terminal Device, which then passes on the relevant information therein to the POS.

This process has the advantage of leaving the jewelry store and the POS out of scope for PCI since neither are required to handle customer card data at any step. Payment terminal devices can be mounted in a customer-facing fashion letting payments originate from the customer directly. 

It's easy to see why this simple and logical approach is the primary way to have integrated payments with the BusinessMind jewelry POS.

Other BusinessMind Specific Advantages

There are also other advantages relevant to BusinessMind Software for Jewelers and the TSYS certification that are worth mentioning. The payment terminals in this configuration can be used by the usual PC based jewelry POS, as well as the upcoming iPad-based jewelry POS because these terminals are ethernet connected devices that are IP addressable. This also means that a single payment terminal can be shared by multiple POS stations which can help reduce the total cost of terminals, (though payment transactions can obviously only be processed one at a time).

Raffi Minassian

Chief Codesmith, Technology Obsessor, and Founder of DCIT Corporation. I also teach Kung Fu, play guitar, snowboard, and enjoy good beer. (Not all at once.)