I’m not sure which Stack Exchange site this would be best suited to so please move me if needed.
So my clients came to me with their eCommerce kiosk running Internet Kiosk Pro. The kiosk accessed their normal eComm store which was a very bad idea and we are working on a kiosk friendly store now.
In looking at the kiosk software I found it is Russian in origin and (call me a bigot) but I’m a little concerned by that given the amount of bad press around the Russian Mob and credit card scams.
Does anyone have good intel on Ixis Research LTD?
Anyone know of a set of kiosk software they feel is verified as secure and made by reputable folks?
Am I being paranoid to worry about this? I feel strongly that this “black box” could be a tool to collect valuable private information.
// 8.24.2012 Update
One last comment on this- Authorize.net “certifies” Provisio’s SiteKiosk but if you ask Provisio about PCI compliance you get a stock letter about how that isn’t their problem and is not germane to their product. This mishapen sentence pasted in from their document: “PCI compliance to a large extent deals with storing and securing cardholder data. SiteKiosk does not store any cardholder data which eliminates the need for the store and secure cardholder data. The customer data is stored, transmitted, and processed through the payment gateway.” They do go on to say that you should get your own certification for the kiosk machine, network hardware and config, and software on the machine. They do not offer any third party analysis or certification as proof their product is secure.
Normally any software application that is handling credit card account data should go through PCI-DSS audit by a certification company that will perform a set of tests on the software and provide a report on any ways that the software failed the audit.
Here is a description and documentation on the PCI standards. I have worked with an auditing firm called Coalfire with the point of sale application with which I work.
So the first question is whether the kiosk software has been through the PCI-DSS compliance audit or not. The major credit card vendors are getting more and more sticky on this point.
After reading about STUXNET and other types of malware, I am not so sure that firewall restrictions will make much of a difference since after all you are installing and configuring the software per the instructions from the vendor including any firewall configuration changes the vendor requires.