PCI-DSS Certification Information
Customers often inquire if the Lilitab Swipe product is “PCI certified”. For a retail business, such certification is normally awarded to the entire system (everything that touches card data) and the surrounding processes. As such, a certification review is based upon numerous internal and external factors and certification is not typically awarded to individual pieces. Imagine a chain, made of many links. These links represent items such as servers, networks, storage systems, and security policies, as well as the Lilitab product. In a review process, each link is examined – and must pass – but it is the chain which is normally awarded the certification.
The Lilitab encrypted card swipe product is simply a “link in the system chain”, and is not an individually certified unit. That said, the Lilitab product should not obstruct an overall system PCI certification review - in fact, it may very well assist in your certification process by reducing the scope of a full PCI review.
The significant review points for the Lilitab encrypted swipe products are:
o Encryption occurs inside the reader unit at the time of swipe.
o Personally Identifiable Information (“PII”), and other raw data, is neither transmitted or stored within the Lilitab product.
o The reader unit utilizes industry standard encryption methodology (3DES) and dynamic keys (DUKPT).
o The reader unit interior is not accessible to normal physical traffic or customer handling,
o There is no ability to turn off or suspend the encryption process,
o Lilitab only utilizes industry approved and registered encryption keys.
The above points typically place Lilitab products as a “non-factor” for overall PCI consideration.
The component manufacturer states: “Other devices claim to encrypt data in the reader. The (reader) encrypts the data inside the read head, closest to the magnetic stripe and offers additional security layers with immediate tokenization of card data and …card authentication. This layered approach to security far exceeds the protection of encryption by itself, decreases the scope of PCI compliance, and reduces fraud”.
Non-Encrypted Reader: The Lilitab non-encrypted reader properly reads and conveys card magnetic data – the difference is the data is transmitted in raw form. Non-encrypted card readers are therefore not PCI-DSS friendly, nor well suited in retail environments where customer credit card security is mandatory. However, if your card swipe commerce does not contain PII, or have other security requirements, then an unencrypted reader may well fit your business requirements. Additionally, a non-encrypted reader is recommended for testing and application development purposes.
For additional Lilitab product technical details, please contact the Lilitab support desk at (888) 705 0190 extension 2.