California Financial Code and PCI Touchscreen Requirements

There has been some confusion in the market about how to meet the California Financial Code requirements and still meet PCI requirements on touch screen terminals. This bulletin is intended to clear that confusion up.

The California Financial Code requires that retailers provide tactile keypads to allow PIN entry for sight impaired individuals. While California is the only state with this law, and the federal regulations at the moment do not require this, several organizations have pushed national retailers to make the same accommodations. These organizations include the American Council for the Blind and the American Federation for the Blind, and in some cases those group’s state organizations. Several retailers have negotiated settlements with these groups after legal action was initiated. The most recent was Target, which settled on May 14th this year. In that case, Target agreed to upgrade every payment device to have a tactile keypad. The California Financial Code requires retailers to have a tactile keypad at every lane, except those retailers with just two lanes, who are allowed to have a tactile keypad in only one of those two lanes.

While the California law does not spell out specifics for the keypad, the associations for the blind, and the Federal Code call out several very specific requirements including the number layout, the raised dot on the 5 key, and the colors and raised symbols on the clear, enter and cancel keys. VeriFone products with keypads such as the MX 800 Series, the PP1000SE and the Vx 810 all meet these requirements.

The PCI Security Standards Council is concerned with the integrity of the payments system, not its accessibility to persons with disabilities. That is why the PCI PED requirements do allow a virtual PIN Pad on touch screen only terminals. While it was not spelled out in the early PCI PED requirements, the more current versions clearly state that overlays of any kind are not allowed on touch screen. This includes both keypad overlays which would provide accessibility to sight impaired individuals as well as protective overlays. The reason for this is the potential for criminals to embed technology within any kind of touch screen overlay that could be used to capture an individual’s PIN number. Whether this is a real or perceived threat, both MasterCard and Visa have confirmed that any kind of overlay on a touch screen device is not PCI compliant.

Retailers wanting to meet both PCI requirements as well as provide access to sight impaired individuals have two choices. First install a product that has a tactile keypad built in like the MX830, MX850, MX860 or MX870, or second, for products with touch screen only keypads, add an attached PIN Pad like the PP1000SE.