Payment cards, such as credit cards and debit cards, have become a convenient and preferable method of payment at a number of retail environments, including grocery stores, fueling stations, and other retailers. Accepting payment cards as a method of payment subjects these establishments to security standards and regulations promulgated by the Payment Card Industry (“PCI,” also referred to as the PCI Security Standards Council). These standards include the Payment Application—Data Security Standard (“PA-DSS,” also referred to as the PCI Data Security Standard) created in an attempt to prevent fraud and other security issues that arise due to the acceptance of payment cards and the transmission of sensitive information associated with the payment cards, such as account number, account holder information, and personal identification numbers (“PIN”).
PA-DSS sets forth standards and requirements that must be met by both software and hardware components used to receive, store, transmit, or otherwise handle the sensitive information. Additionally, software and hardware components that are unrelated to the portions configured to handle the sensitive information are subject to the PA-DSS if they are part of the same physical device. The software and hardware components that do not handle sensitive information may include portions that are programmed or created to perform functions unrelated to payment processing. Nonetheless, the entire device must be compliant with PA-DSS because it, in part, handles sensitive information.
By way of an example, several components in a retail fueling environment, i.e., a fueling station, are not designed to handle payment card information. For instance, the point-of-sale (“POS”) device may include software components adapted to display a graphical user interface (“GUI”) that provides the station's manager with the ability to set options associated with the POS or the fueling station, such as the appearance of the receipts issued by the station's dispensers. If the GUI includes portions that are considered noncompliant pursuant to PA-DSS, then the entire POS will also be considered noncompliant. This makes it difficult to change any portion of the overall system, because all such changes must comply with PA-DSS even when unrelated to payment processing. The changed device may then be subject to an arduous certification process.