This is page 2 of:
Wal-Mart’s Kiosk Trial Raises Serious PCI, Data Ownership Issues
The devices, built by NCR (which owns a minority stake in E-Play), are now in service on a trial basis at some Wal-Marts in New York, Rhode Island, Connecticut and Massachusetts, said Wal-Mart’s O’Brien.
Currently, the E-Play machines compensate shoppers for used games by depositing money into their credit or debit card accounts. However, O’Brien, E-Play spokeswoman Vicki Greenleaf and CEO Rudy said other forms of dispersing buy-back money, possibly in the form of in-store credit or even Wal-Mart gift cards, might be examined if the kiosks prove to be successful. The company, which also distributes kiosks that rent movies and games, is in discussion with retailers, which Rudy would not name, that are considering directly connecting the kiosks to their stores’ POS payment systems.
Any time game owners want to sell titles to E-Play, the kiosks require credit or debit cards to be swiped. To meet state regulations pertaining to the buy-back of second-hand goods, the kiosks also require driver’s licenses to be swiped or scanned by the machine, Rudy said.
Rudy was unwilling to discuss the details of how the kiosks protect credit and debit card information, but he said the devices are PCI compliant, that data is encrypted and that E-Play owns and process all collected information. The kiosks send alerts to E-Play if tampering occurs. The machines take photographs of all customers and Rudy said this feature has been used by police to catch credit card thieves.
Unlike other kiosks that accept credit and debit cards for payment, E-Play’s do not retain sensitive information once a transaction is completed, Rudy said. “Credit card information gets settled at the machine right away when a customer is in front of it,” the CEO said. “We don’t keep credit card data any longer than we need to.”
The kiosks do retain some basic customer information, which Rudy would not divulge. However, he said all sensitive customer information is stored at E-Play headquarters. “Everything inside the kiosk is encrypted, but even if somebody tore into it, any information they could get would only be basic information,” Rudy said. He noted that basic customer data, but not credit card or driver’s license information, is shared by all machines in the E-Play network so that a customer is recognized at all kiosks. However, even known customers must swipe their cards and driver’s licenses whenever they want to sell a game, Rudy stressed.
He said all information is transmitted via a secure cellular network. However, Rudy said the company has been in discussions with “a number of grocers” that are interested in having the kiosks tied directly into their POS systems so they can include kiosk activity as part of their sales. “They look very closely at in-store sales,” he said. “If our machine takes up nine square feet and they had to remove, say, a windshield washer fluid display for it, they have to make up that revenue. We can tie our kiosk into their POS system so they see the same actual revenue number every day tied into their actual reporting system.”
The CEO acknowledged that E-Play gathers quite a bit of potentially lucrative information about its customers. However, he insisted the company has no intention of sharing any of that CRM data to the retailers (including the stores whose space it leases) game makers or advertisers.
-Marc
May 27th, 2009 at 9:20 am
Thanks for exploring these issues. Nice article. My guess is the credit card readers are standard HID and possibly keyboard wedge (though we hate to think that). Something to be said for the new magteks which actually do do the encoding of data at the head and eliminate encoding by software (and uses magensa service to decode). Those options might be gaining momentum just in terms of plausible denial so to speak.
May 28th, 2009 at 7:03 am
In Turkey, credit payment systems are really hard to implement in selfservice kiosk systems. Almost every bank has its own loyalty program and customers are very addictible for them. And also PCI and EMV rules are quite strong in payment systems. So Security and privacy is not first issue but integrity is main problem so as to solve.
May 28th, 2009 at 2:30 pm
Interesting article! Dealing with big box stores can be difficult especially in balancing the visual perception of who is delivering the service in store. Point taken that WM will be on the hook for whatever the kiosk does or does not do, in the eyes of the public. It is essential to mesh the policies of the the host retailer with the policies of the provider. Trust of our clients can not be betrayed at any point or our kiosk projects will definately fail.