π June 2025 π€ Prepared by: Jon Leibowitz - Student Worker, IT ποΈ Los Angeles County Public Works
β Understand how to securely configure iPads used as payment kiosks β Ensure PCI DSS v4.0 compliance for devices processing cardholder data β Provide actionable guidance for field deployment using Intune & FIS gateway
π‘οΈ Prevent unauthorized access π Protect cardholder data π΅ Block insecure behaviors π§° Enable remote management π Maintain auditability
| PCI Scope Area | Kiosk Focus |
|---|---|
| Encryption | TLS & P2PE for payments |
| Storage Restrictions | No PAN or CVV locally |
| Physical Security | Enclosure & access logs |
| Device Hardening | MDM policies enforced |
| Software Integrity | Web app + secure Safari |
| Monitoring | Logs, alerts, updates |
| Area | Action Required |
|---|---|
| Lockdown Mode | Single App or Multi-App via Intune |
| App Access | Only payment web app (Safari) |
| Web Restrictions | Whitelist FIS/payment URLs only |
| Form Data | Autofill disabled in Safari |
| Screen Capture | Block screenshots/screen record |
| Supervision | Use Apple Business Manager β Intune |
π Lock iPads in tamper-evident mounts π§― Field staff inspect devices weekly π Maintain chain-of-custody & logs πΈ Block use of camera, mic, and other apps π Block personal hotspot and iOS Settings access
| Setting | Recommendation |
|---|---|
| Safari Autofill | Disabled |
| Screen Capture | Blocked |
| Personal Hotspot | Blocked |
| Allowed Apps | Safari only |
| Allowed URLs | FIS + Permit App |
| Device Update Compliance | Enforced |
| Jailbreak Detection | Enabled |
π Document all kiosk setup steps and security controls π οΈ Use Intuneβs compliance dashboard π€ Enable alerting for jailbroken/offline/non-compliant devices π Maintain change logs, device checklists, and incident response plans
π· Field Staff
π§βπ» Admin Team
β Kiosks can meet PCI DSS if locked down properly β Intune and Apple Business Manager are essential tools β Use encrypted card readers + tokenization with FIS β Document and monitor everything for audit readiness
π Review config with infrastructure/security leads π Coordinate with development team on web app controls π Schedule test deployment of pilot kiosk π Prepare compliance documentation binder