presentations

PCI-Compliant iPad Kiosks

Field Office Permit & Payment Devices

πŸ“… June 2025 πŸ‘€ Prepared by: Jon Leibowitz - Student Worker, IT πŸ›οΈ Los Angeles County Public Works


Purpose of This Review

βœ… Understand how to securely configure iPads used as payment kiosks βœ… Ensure PCI DSS v4.0 compliance for devices processing cardholder data βœ… Provide actionable guidance for field deployment using Intune & FIS gateway


iPad Kiosk Use Case


Key Compliance Goals

πŸ›‘οΈ Prevent unauthorized access πŸ” Protect cardholder data πŸ“΅ Block insecure behaviors 🧰 Enable remote management πŸ“ Maintain auditability


PCI Compliance Overview

PCI Scope Area Kiosk Focus
Encryption TLS & P2PE for payments
Storage Restrictions No PAN or CVV locally
Physical Security Enclosure & access logs
Device Hardening MDM policies enforced
Software Integrity Web app + secure Safari
Monitoring Logs, alerts, updates

Kiosk Configuration Summary

Area Action Required
Lockdown Mode Single App or Multi-App via Intune
App Access Only payment web app (Safari)
Web Restrictions Whitelist FIS/payment URLs only
Form Data Autofill disabled in Safari
Screen Capture Block screenshots/screen record
Supervision Use Apple Business Manager β†’ Intune

Payment Security Requirements


Network & Remote Access Controls


Physical & Operational Security

πŸ”’ Lock iPads in tamper-evident mounts 🧯 Field staff inspect devices weekly πŸ“‹ Maintain chain-of-custody & logs πŸ“Έ Block use of camera, mic, and other apps πŸ›‘ Block personal hotspot and iOS Settings access


Intune Policy Recommendations

Setting Recommendation
Safari Autofill Disabled
Screen Capture Blocked
Personal Hotspot Blocked
Allowed Apps Safari only
Allowed URLs FIS + Permit App
Device Update Compliance Enforced
Jailbreak Detection Enabled

App & Payment Gateway Considerations


Audit & Compliance Tracking

πŸ“ Document all kiosk setup steps and security controls πŸ› οΈ Use Intune’s compliance dashboard πŸ“€ Enable alerting for jailbroken/offline/non-compliant devices πŸ“‚ Maintain change logs, device checklists, and incident response plans


Staff Roles & Training

πŸ‘· Field Staff

πŸ§‘β€πŸ’» Admin Team


Summary

βœ… Kiosks can meet PCI DSS if locked down properly βœ… Intune and Apple Business Manager are essential tools βœ… Use encrypted card readers + tokenization with FIS βœ… Document and monitor everything for audit readiness


Appendix: Source Materials


Questions & Next Steps

πŸ“Œ Review config with infrastructure/security leads πŸ“Œ Coordinate with development team on web app controls πŸ“Œ Schedule test deployment of pilot kiosk πŸ“Œ Prepare compliance documentation binder