PSA: Your old payment kiosk vendor is compromising your information security
By Matt Johnson, Director of Solutions Engineering
When we talk to new government and utility clients about payment kiosk security, they’re often worried about the cash box inside. (CityBase payment kiosks use an industry-leading cash vault — it isn’t going anywhere.) It’s a reasonable question, but it’s not the most important question when it comes to kiosk security.
Much more valuable than a few days’ worth of cash revenue is the personal identifying information (PII) of your customers: account numbers, names, addresses, and contact information.
Here are a few ways the old technology used by some payment kiosk vendors is compromising your information security.
Customer information stored on a kiosk machine is vulnerable to security threats
Some vendors install kiosk software onto a computer inside the kiosk machine. This provides an added physical security risk to the machine.
If someone breaks into the kiosk and takes that computer, they may be able to access sensitive customer PII.
CityBase kiosk software is entirely cloud-based. No customer information is ever stored on a kiosk machine. Additionally, we leverage Amazon Web Service’s excellent security tools and our own custom-built traffic inspection pipeline to proactively detect and block malicious actors.
Security patches should be continuously updated on payment kiosk software
When kiosk software is run locally on a computer within the machine, it’s also difficult to upgrade that software. It might require a technician to physically visit each and every kiosk to install security and vulnerability updates. This costs you added time and money, in addition to the security lag you’ll experience.
Another benefit to CityBase’s cloud-based kiosk technology is that we remotely install continuous updates to our software without any downtime to clients. Most modern applications have automatic vulnerability scans. As these become available, we push them live immediately to our entire kiosk network, sometimes on a weekly basis.
Processing card transactions outside of your network drastically reduces your PCI security scope
We’ve seen many old school kiosks that are connected using hard-wired ethernet cables to process card transactions. Beyond being physically cumbersome, this also means that you are shouldering the full burden of PCI compliance, the security standard set forth by the Payment Card Industry (PCI) Standards Council for any organization taking card payments.
With CityBase, you can put kiosks anywhere with a power outlet and cellular service. All kiosk transactions run via our own secure cellular network, keeping clients out of PCI scope for card payments made on their kiosks. As a PCI Level-1 compliant payment platform, CityBase also exceeds the security criteria set forth by the PCI Data Security Standard.