This article provides helpful information and advice concerning Payment Card Industry Data Security Standards (PCI-DSS) for the Elo M60 Pay Mobile device.

Monthly Updates
Once a month, your terminal will connect to the Elo Terminal Management System to download new software and important configuration changes. This update will typically occur overnight. For this reason, it is suggested that your terminal be powered on at all times. For mobile POS terminals, it is recommended for the device to be left on the charging stand or connected to the power supply when not in use. In the event that the terminal is powered off when the update takes place, or having a low battery in the case of portable models, the system will notify you that the update has failed. Please leave your terminal on the following night to ensure the upgrade is completed or call your helpdesk for assistance.

The Elo M60 Pay mobile POS contains a payment application that stores, processes and transmits cardholder data. It therefore falls within the scope of the Payment Card Industry Data Security Standards (PIC-DSS).

This section contains advice to assist you with PCI-DSS compliance.
Please note it is the responsibility of the merchant to ensure the merchant copies of receipts and reports showing cardholder details are stored securely for the period of time specified by your bank. Please also ensure they are disposed of in a secure manner at the end of that period. Failure to do so may result in charge-backs or fraudulent activity. 

1. Retention of full magnetic strip, card validation code or PIN block data
The payment application within the Elo M60 Pay mobile POS family of terminals does not retain card data. You need to take no further action to ensure your PCI DSS compliant environment meets this specific requirement.

2. Protection of stored cardholder data
The payment application within the Elo M60 Pay mobile POS family of terminals protects stored cardholder data in a secure manner. 

You must ensure you give the correct copy of the receipt to the cardholder (clearly marked CARDHOLDER COPY) and retain the merchant receipts in a secure area with limited access to authorized staff. The merchant receipts must be destroyed by incineration or by crossshredding when they become obsolete. Your bank will advise on the period necessary for retention of receipts.

You should perform an End of Day Banking/Settlement every day. Your terminal may be configured to perform this process automatically every day; if you are unsure how your terminal is configured, please contact your helpdesk.

3. Provision of secure authentication features
The payment application operates in the Elo M60 Pay mobile POS hardware environment and does not require username or password access. You need take no further action to ensure your PCI DSS compliant environment meets this specific requirement.

4. Secure payment applications
The Elo M60 Pay mobile POS terminal and its software applications have been designed in line with PCI DSS and industry best practices. You need take no further action to ensure your PCI DSS compliant environment meets this specific requirement.

5. Protection of wireless transmissions
The Elo M60 Pay mobile POS family utilizes Wi-Fi wireless transmissions in accordance with PCI DSS and industry best practices.

6. Testing payment applications to address vulnerabilities
Elo have a process to identify newly discovered security vulnerabilities and have timely development and deployment of security patches and upgrades. You need take no further action to ensure your PCI DSS compliant environment meets this specific requirement.

7. Secure network implementation
The payment application operates in the Elo M60 Pay mobile POS family hardware environment and does not need to log application activity.

8. Ensuring cardholder data must never be stored on a server connected to the Internet
If you are using the Elo M60 Pay mobile POS family device on a Local Area Network for the payment transaction interface and you are using a local server to store and forward the transaction data, you must take steps to protect the transaction data in accordance with DSS requirements.

9. Secure remote software updates
Software updates will be carried out automatically by the Elo Terminal Management System. This system ensures only authenticated payment software is loaded onto your terminal.

10. Secure remote access to payment application
There is no remote access to the payment application.

11. Encryption of sensitive traffic over public networks
Transactions sent over network connections are always encrypted by the payment application using Secure Socket Layer (SSL) technology.

You must never communicate sensitive cardholder data by any means unless it is encrypted. Elo will never request such data from you.

Sensitive cardholder data means:

• The Card Number (often known as Primary Account Number or PAN),
• The Cardholder Name, the Card Expiration Date,
• The Card CV2 Number (the last three digits printed on the card signature strip, or for American Express, the four-digit value printed on the font of the card).

Your helpdesk may request the first six digits of a card number from you to assist with troubleshooting a problem. This should be provided along with the name of the card issuer when requested, to enable your helpdesk to assist.

You will not be asked for a full card number by your helpdesk.

12. Encrypt all non-console administrative access
This is not applicable to the Elo payment application.

13. Maintain instructional documentation/training programs for cardholders, resellers, & integrators
As well as the information in the user manual, Elo will make available to you via its website www.elotouch.com for further information regarding PCI DSS compliance.