Credit Card Connoisseur

Thursday, July 08, 2010

Ron Baklarz


Pennsylvania is on tap to introduce kiosks into supermarkets that dispense wine.  This is sort of intriguing to me on several levels including possible sales to minors as well as the implications around Payment Card Industry - Data Security Standards (PCI-DSS) and potential for disclosure of Personally Identifiable Information (PII).   



The article states that before you can actually purchase your favorite year of Boone's Farm or MD (Mad Dog) 2020, you have to "swipe your driver's license, look into the camera, blow into the breath sensor and - voila! - you have permission to buy a bottle of wine from a vending machine." 

It seems that this authentication mechanism could be compromised and moreover, I would very much like to see the security scheme around the kiosk's ability to protect the PII associated with the driver's license as well as the PCI-DSS protections since the machines will accept credit and debit cards.

Do these machines adhere to the new Pin Entry Device (PED) requirements?  Has security around the new kiosks been considered with regard to the processing, storage and transmission of license and card data perspectives?

Other articles on this topic state that a "camera tied into the Pennsylvania Liquor Control Board's (PLCB) central office ensures the person buying the wine and the license match."  So what happens if the connoisseur has shaved his beard while on his license he looks like the wolfman? 

These kiosks are being rolled out to 5 stores initially but more than 100 are slated to go on-line "if all goes well".   So, how will this visual monitoring and compliance by the PLCB scale when potentially thousands of stores across the state go on line?  

What happens when the network connection goes down and the central office cannot see the customers face? (That never happens!).  What about the privacy implications of this data?

I hope I am wrong but this whole scheme gives me a "cringe factor" and I can see this train wreck coming a mile away!  Stay tuned as I am sure we will hear more about these kiosks in the coming months.

Possibly Related Articles:
PCI DSS Authentication
Post Rating I Like this!
Anthony M. Freed Thanks Ron - another great example of convenience trumping security. I wonder if consumers knew how much it was costing them in the end if they would rather have security after all...
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.