Security and Compliance Guide
General explanation of why the customer is not in scope of the kiosk's PCI compliance
Many customers believe or will be worried that having a kiosk on their network will make that network in scope for PCI compliance.
Avanti Markets is the merchant of record and the operator is our partner that manages and maintains the physical state of the kiosk. Avanti Markets and the operator have responsibilities regarding the PCI compliance of the kiosk.
Although the customer may provide internet access to the kiosk they are not considered a Service Provider under the PCI DSS standard.
Below is the definition of merchant and service provider from the PCI council glossary below for your convenience:
Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).
For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.