What are my hardware choices: integrated or separate reader?
• Separate PIN pad and chip reader
Both PIN pad and reader must be housed in a tamper evident enclosure. This means that if either device is tampered with, it must be rendered non-functional. As both devices contain sensitive information in the form of cryptographic security keys, part of this process must involve the active deletion of this information.
Between PIN pad and reader a secure, triple DES (Data Encryption Standard) link must exist to protect the privacy of the entered PIN. The initial keys for this link must be injected in a secure manner, and a secure facility to change these keys on a regular basis must also exist. As prescribed, this is a complex and onerous process, however, the industry is currently proposing alternatives which are more practical and less costly to implement and maintain.
This solution has approximately twice the initial cost and potentially a large cost of ownership compared to the combined reader below. Nevertheless, it is popular in environments which are concerned with the transition from magnetic stripe, through chip to chip and PIN: [see: is it chip first and PIN later?] The solution may also apply to cardholder activated terminals where the chip reader and PIN pad must necessarily be located in different parts of the main enclosure. The latter is an area which is under discussion with banks and suppliers at present.
• PIN pad and reader included within the same enclosure
Both PIN pad and reader must be housed in a tamper evident enclosure. This means that if either device is tampered with, it must be rendered non-functional. As both devices do not contain any sensitive information, this is a reasonably straight forward process.
No secure link is needed between PIN pad and chip reader as both are contained within the same, secure enclosure.
This solution has approximately half the cost and a very low cost of ownership compared to the separate PIN pad and chip reader. It is acknowledged to be the correct option once the chip and PIN migration has matured.
• Who dips the chip?
Concerning whether the sales assistant or the cardholder inserts the card into the chip reader, there seems to be two schools of thought in existence in the UK at present: those who believe that the transition from magnetic stripe, through chip to chip and PIN must be specifically catered for and those who do not. The former see the advantages of a separate chip reader placed on the sales assistant side of the till which will read the magnetic stripe and chip in a single action. The PIN pad will be added later, possibly as a combined PIN pad reader, in a position that suits the cardholder. This solution removes the need for sales assistant or cardholder to make any decisions about whether a card is magnetic stripe, chip only or chip and PIN. It also allows all cards to be processed as a signature based until the population of chip and PIN cards in circulation reaches maturity, and appropriate cardholder education has taken place.
Those who believe that the transition period should NOT be catered for assume a higher level of intelligence of both sales assistant and cardholder. Sales assistant staff will decide whether the card has a chip and train the cardholder at the time on the use of PIN. They consider that cardholders are used to using PIN at the cash dispenser and will easily understand what to do. A combined PIN pad and chip reader will be placed in a position where both sales assistant and cardholder can insert the chip. If the slot is not universally accessible, they accept that the sales assistant can turn the reader around to suit. Initially the sales assistant will dip the chip but cardholder can assume this responsibility as required.
CARD READER TYPES
• Combined PIN pad and chip reader only
Here a single unit contains a slot for inserting the chip card manually and also has a keypad and display for entering the PIN. This is typically the least expensive reader and universally acknowledged to be the ideal choice for the mature chip and PIN market. Some believe that this is the way to go from day one, others believe they must wait. If this reader is used at the point of sale from day one, existing magnetic stripe support for non-chip transactions must be used.
• Combined PIN pad and chip reader with separate magnetic stripe reader
This similar to the "combined PIN pad and chip reader only" but it also contains a magnetic stripe reader slot, either down one side or across the top or bottom of the reader. The only difference in use is that existing magnetic stripe support may be replaced by using this new reader. However, it may not be placed in a position which makes it very easy or even possible for the sales assistant to swipe the card.
• Combined PIN pad with hybrid magnetic stripe and chip reader
This is similar to the "combined PIN pad and chip reader with separate magnetic stripe reader" but the magnetic stripe is automatically read when the chip is dipped. The disadvantage of this manual process is that the magnetic stripe read tends to be unreliable, particularly on the way in to the reader when insertion is erratic. A better read is usually obtained on the way out, but this can lead to confusion during operation.
• Combined PIN pad with motorised hybrid magnetic stripe and chip reader
This is a typical set up for a cardholder activated terminal where the manufacturer wants to avoid triple DES encryption by combining PIN pad and reader in a secure sub-enclosure. Products of this type are not generally available at present and those that are in existence are not suitable for the traditional point of sale. If such a device were developed for the point of sale which allowed card insertion from front and back, it might provide a suitable compromise for all parties, although it would be expensive.
• Separate PIN pad and motorised hybrid magnetic stripe and chip reader
This is a typical set up for a cardholder activated terminal where the manufacturer accepts that triple DES encryption must be used between PIN pad and reader. Motorised readers of this type are readily available in chassis form, but without the secure enclosure or triple DES encryption and are not suitable for the traditional point of sale. Some products of this type are now available where the reader has been housed in a secure enclosure with a separate PIN pad for use at the traditional point of sale.
• Separate PIN pad and hybrid magnetic stripe and chip reader
Notwithstanding what was said in "combined PIN pad with hybrid magnetic stripe and chip reader" concerning the unreliability of manual magnetic stripe read, a "swipe and park" reader is now available which addresses these shortcomings. This reader is popular with those who believe that the transition period should be catered for. Nevertheless, it carries with it the additional costs and complexity of the triple DES encryption requirement.