Fully integrated - In this scenario the entire payment system is within the merchants owned and maintained infrastructure. The POS machines, the terminals, the servers, the firewalls, everything. In this scenario the entire system is also within PCI scope. Any change in a part of the system affects the other parts. They are all connected and communicating with each other as a whole point of sale and payment processing environment. Encrypted card holder data and transactional data is being stored on the system, and being sent for processing through their internet connection. Historically to build a fully integrated EMV payment system from scratch you are looking at 12 to 18 months of a qualified person’s time, and likely a few hundred thousand dollars in software development and hardware.  If you are a tier one retailer, and you are processing millions of transactions a minute, escaping middleware/gateway fees which are usually assessed on a cents per transaction basis one can see the benefit of building and maintaining a fully integrated system in the long run. So once you have invested all this time and money in building this system, you need to get it certified with a processor. Which will also cost well into the tens of thousands when its all said and done. Furthermore, you are now married to the system you have built, and any changes, even down to the manufacturer and model of the terminal will cause a ripple effect, and the system will have to be re-evaluated and re-certified. Independent of changes to the initial architecture you built the system on, it is a full time job to maintain the system and keep it up to date with never ending PCI mandates. An example of that would be the POODLE vulnerability that was recently discovered with SSL connections. Consequently SSL connections were replaced with TLS connections to eliminate that vulnerability. You can see how maintaining a fully integrated system would be a full time job.

Semi-integrated - In this scenario you have partitioned the POS or kiosk application in a way. By using a gateway/middleware allowing the terminal to talk directly to the gateway switch through either an isolated software agent on the host PC, or through a dedicated secure connection, the only real surface area that is in PCI scope is the SDK you have integrated with your application. We are talking about something like .001% PCI security exposure, compared to 100% of a fully integrated solution being in PCI scope. Furthermore, the SDK and its associated gateway switch comply with PCI-DSS standards. So in a semi-integrated scenario you can do a self assessment questionnaire for your attestation of PCI compliance and be done with it in most cases.  No encrypted card holder data ever passes through the POS application or is stored anywhere on the system locally. Your application never “sees” any card holder data. Most gateway software also supports tokenization. Tokenization has many uses, but the simplest to understand is recurring billing. The terminal can send the encrypted card data to the gateway which then generates and returns a unique token to the POS/kiosk application. That token can then be used again and again to bill that card. The beauty of tokenization is that a token is worthless to anyone except the gateway that generated it. So even if someone was able to hack into the POS/kiosk application and steal the token, you couldn’t turn it into a fake credit card. It is a totally useless string of numbers that can only be matched up to the card data associated with it at the payment gateway data centers. Data centers which are the gateway partner's responsibility to protect from hackers or physical security threats. Also maintaining and updating the system is their responsibility, so for example when the POODLE vulnerability was identified, Creditcall discontinued support for SSL connections and went to what is now the industry standard (TLS) in a matter of a week or so to let current customers also update to the new more secure connection type on their side. It is their job to maintain and re-certify the system, and run security checks regularly to ensure their customers that card data is protected. A partner like Creditcall also puts a disaster recovery system in place. They have four data centers (two in the US, and two in Europe) that are all set up for system redundancy, ensuring that if a fire breaks out at one data center the other three are there to pick up the slack. This allows them to ensure their customers 99.996% system uptime, and that they can continue processing thousands of transactions a second all around the world.

F Y I   LINKS  FOR YOUR CONVENIENCE

POS systems are designed not only to serve the retail, wholesale and hospitality industries as historically is the case. Nowadays POS systems are also used in goods and property leasing businesses, equipment repair shops, healthcare management, ticketing offices such as cinemas and sports facilities and many other operations where capabilities such as the following are required: processing monetary transactions, allocation and scheduling of facilities, keeping record and scheduling services rendered to customers, tracking of goods and processes (repair or manufacture), invoicing and tracking of debts and outstanding payments.

Different customers have different expectations within each trade. The reporting functionality alone is subject to so many demands, especially from those in the retail/wholesale industry. To cite special requirements, some business's goods may include perishables and hence the inventory system must be capable of prompting the admin and cashier on expiring or expired products. Some retail businesses require the system to store credit for their customers, credit which can be used subsequently to pay for goods. A few companies even expect the POS system to behave like a full-fledged inventory management system, including the ability to provide even FIFO (First In First Out) and LIFO (Last In First Out) reports of their goods for accounting and tax purposes.

In the hospitality industry, POS system capabilities can also diverge significantly. For instance while a restaurant is typically concerned about how the sale window functions, whether it has functionality such as for creating item buttons, for various discounts, for adding a service charge, for holding of receipts, for queuing, for table service as well as for takeaways, merging and splitting of a receipt, these capabilities may yet be insufficient for a spa or slimming center which would require in addition a scheduling window with historical records of customers' attendance and their special requirements.

It may be said that a POS system can be made to serve different things to different end-users depending on their unique business processes. Quite often an off-the-self POS system is inadequate for customers; some customization is required and this is why a POS system can become very complex. The complexity of a mature POS system even extends to remote networking or interlinking between remote outlets and the HQ such that updating both ways is possible. Some POS systems even offer the linking of web-based orders to their sale window. Even when local networking is only required (as in the case of a high-traffic supermarket), there is the ever-present challenge for the developer to keep most if not all of their POS stations running. This puts high demand not just on software coding but also designing the whole system covering how individual stations and the network work together, and a special consideration for the performance capability and usage of databases. Due to such complexity, bugs and errors encountered in POS systems are frequent, as a mere search on 'pos system reviews bugs' would reveal.

SEMI INTEGRATION RESEARCH

PRODUCTS & SERVICES

Certified for use in either attended or unattended configurations and supporting several different use case options, the ultra-sleek Aries8 SmartTablet can meet the needs of both large and small merchants across any North American retail vertical market. Via its revolutionary Adapter Plate, the Aries8 Smart tablet  can be installed on standard countertop stands, integrated into third-party kiosks, mounted on walls, or used as a mobile device.

DEJAVOO Z-9 WIRELESS

ALL IN ONE SERVER WITH DUAL TOUCH SCREEN ALLOWS FOR INTERACTION WITH CUSTOMER.

DIGITAL MENU ON THE CUSTOMER SIDE LETS THE CUSTOMER SEE AND INTERACT WITH OPTIONS INVOLVING THE TRANSACTIONS.

EMV COMPLIANCE IS NOW REALITY!

ROOM SEAMLESS ONLINE ORDERING & SMART QUEUE SELF SERVE ORDERING & CHECKOUT

Peter Romanofsky

TECHNICAL SERVICES & Business Consulting ​SEMIINTEGRATION A solutions ORIENTATED COMPANY

Peter romanofsky

Free Support

DEJAVOO Z-1 WIRELESS

​The Benefit of Semi-Integration

Semi-integration is a measure that ensures payment terminals are connected with retail point-of-sale software,  while maintaining separation between payment information transmission and other systems. In order for retailers to become PCI complaint without extensive investment into fully integrated compliant systems, semi-integration offers a cost effective, compliant resolution.