Retailers, such as grocery stores, department stores, and restaurants, process thousands of credit card, debit card, and gift card transactions per day. One requirement for doing so is compliance with the Payment Card Industry Data Security Standard, also known as “PCI DSS,” or simply “PCI”. Ensuring that a retailer's payment processing computers, cash registers, back office servers, and credit card terminals comply with PCI can be time consuming and expensive. Various technical and non-technical standards and practices must be abided by for PCI compliance, and the retail location can be subject to frequent assessments and auditing.
Components of a retail system which handle secure payment information, also known as “cardholder data”, must meet the requirements of PCI. These components may be referred to as “within PCI Scope”. Components that do not handle secure payment information may be referred to as “outside PCI scope”. Similarly information whose processing and transmission would mandate that the hardware and software infrastructure handling said information fall within PCI scope may be referred to a “PCI scope information”, whereas information whose processing would not subject the underlying infrastructure to PCI scope may be referred to as “non-PCI scope information”.
Typically, a retail location which has more than one point of sale location, such as numerous check-out lanes at a department store or grocery store, generally has the following payment processing infrastructure: a cash register which provides a user the ability to sum the total amount of purchases for the transaction; a credit cart terminal for inputting payment card information; and a back office server that manages the various cash registers and credit card terminals, and which is relied upon for the processing of payment transactions.
Restaurants may also similarly have multiple point of sale locations for effectuating the processing of payment transactions. Rather than a check-out lane, a waiter may take your payment card to a kiosk for processing the transaction. Said kiosks may similarly have a computer that may act as an electronic cash register and a credit card terminal. Sometimes, rather than a kiosk, a restaurant may have mobile wireless credit card terminals which a user may use to process a payment transaction.
In standard setups, the entirety of the retail location's payment system infrastructure must be within PCI scope, including the cash registers, the credit card terminals, and the back office computer systems. Often, the back office computer systems track transaction processing and are responsible for communicating with a remote authorization service in order to authorize the transaction. Since in traditional setups all of these items fall within PCI Scope, a retailer can be expected to spend substantial amounts of resources, time, and money in assuring PCI compliance across the entire system.