Securing Financial Transactions at the Edge:

Using Robustel Routers in PCI DSS Compliant Applications

White Paper – Executive Summary

Brief

Every point-of-sale (POS) business is responsible for safeguarding sensitive cardholder data. Non-compliance with PCI DSS (Payment Card Industry Data Security Standard) can lead to heavy fines, reputational damage, and even losing the ability to process credit card payments .

Robustel routers, when properly configured and monitored, deliver the security capabilities needed to support PCI DSS requirements. With features such as VLANs, stateful firewalls, IP/MAC filtering, VPNs, event logging, and RCMS-based remote management, Robustel ensures that retailers and service providers can protect customer data, reduce risk, and maintain compliance across diverse deployment environments — from retail shops and restaurants to ATMs and temporary vending locations

What you’ll learn
  • The role of PCI DSS and why compliance is mandatory for any business handling credit card data.
  • The core PCI DSS requirements, including firewall rules, strong authentication, encryption, vulnerability management, and continuous monitoring.
  • Why there is no such thing as a “PCI Compliant Router” — and how compliance depends on the entire payment ecosystem.
  • How Robustel routers contribute to compliance through advanced security features like VLAN segmentation, firewalling, and encrypted communications.
  • Practical steps for configuration and monitoring, including password policies, firewall setup, VLAN isolation, and external logging.

Introduction

Point-of-Sale (POS) businesses are subject to stringent requirements with regards to protecting sensitive customer and company information. Financial institutions require that any company that stores, processes or transmits credit card information complies with the PCI-DSS (Payment Card Industry, Data Security Standards).

Companies that fail to comply are subject to fines, lawsuits, and can even be banned from processing credit cards. Even worse, companies that are breached can find themselves in the news headlines, significantly impacting goodwill with customers, partners and shareholders.

When properly configured, monitored and maintained, Robustel devices meet the requirements of PCI-DSS 3.0. Enabling features include VLAN, stateful firewall, MAC/IP/URL filtering, authentication/encryption, event logging, event alerts, time synchronization, and configuration/upgrade management from the RCMS platform.

Robustel specializes in network connectivity solutions for the Retail Point-of-Sale market. Our products are deployed broadly in several Retail POS segments that process credit card transactions, including:

  • Retail Stores
  • Restaurants & Bars
  • Convenience Stores
  • Coffee Shops
  • Kiosks
  • ATMs
  • Service Locations
  • Entertainment & Recreational Venues
  • Special Events
  • Temporary Vending Locations

PCI Security Standards

Overview

The objective of the Payment Card Industry (PCI) Security Standards is to protect cardholder data. The standards are developed and published by the PCI Security Standards Council (SSC), which consists of hundreds of industry participants who have a vested interested in reducing vulnerabilities in the card-processing ecosystem.

The PCI-SSC was founded by the following five global payment brands:

  • American Express
  • Discovery Financial Services
  • JCB International
  • MasterCard Worldwide
  • Visa, Inc.
Scope

The PCI SSC publishes the following standards:

PCI Data Security Standards (DSS): Applies to any entity that stores, processes, and/or transmits cardholder data. The standard covers technical and operational components include in or connected to cardholder data. If a business accepts or processes payment cards, it must comply with the PCI DSS.

PIN Transaction Security Requirements (PTS): Applies to manufacturers who develop PIN (personal identification number) entry terminals used for payment card financial transactions.

Payment Application Data Security Standards (PA-DSS): Applies to software developers and integrators of applications that store, process or transmit cardholder data as part of authorization or settlement.

Point-to-Point Encryption (P2PE): Applies to merchants to reduce the scope of their cardholder data environment and annual PCI DSS assessments.

Compliance

Merchants who process credit card transactions are responsible for complying with the PCI-DSS. “PCI Compliance” is achieved when the merchant successfully demonstrates (via external audits or self-cer- tification) that their entire system and process complies with the 12 requirements of the PCI-DSS.

Requirements

Version 3.0 of the PCI-DSS was released in November, 2013. The PCI-DSS provides a baseline of technical and operational requirements designed to protect cardholder data. The PCI-DSS is organized around the following high-level goals and requirements:

Goals

Requirements

Build and Maintain a Secure Network and Systems
  • Install and maintain a firewall configuration to protect cardholder data;
  • Do not use vendor-supplied defaults for system passwords and other security parameters.

Do not use vendor-supplied defaults for system passwords and other security parameters.
  • Protect stored cardholder data;
  • Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program
  • Protect all systems against malware and regularly update anti-virus software or programs;
  • Develop and maintain secure systems and applications.

Implement Strong Access Control Measures
  • Restrict access to cardholder data by business need to know
  • Identify and authenticate access to system components
  • Restrict Physical access to cardholder data.

Regularly Monitor and Test Networks
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes.

Maintain an Information Security Policy
  • Maintain a policy that addresses information security for all personnel.
Certification

While the standards are driven by the PCI SSC, each payment card financial institution has its own program for compliance. In general, compliance can be certified by the merchant through a Self-Assessment Questionnaire (SAQ) or through a Qualified Assessor such as a QSA (Qualified Security Assessor) or ASV (Approved Scanning Vendor).

It is the merchant’s responsibility to work with their payment card financial institution to determine what form of certification is required.

Robustel Recommendations for PCI Compliance

Overview

The PCI SSC does not publish any certification standards for network equipment other than PIN entry terminals. As a result, there is no such thing as a “PCI Compliant Router”.

To become “PCI Compliant”, the merchant must verify that their entire system (POS devices, network devices, servers, applications, policies, and procedures) complies with the PCI-DSS 3.0. As part of that overall effort, the merchant must verify that their network equipment (including Robustel devices) is properly configured and managed to ensure overall compliance with the PCI-DSS.

Robustel cannot control how an end user configures and manages a Robustel router. Similarly, Robustel does not have any control over the other devices, servers and applications that comprise an end-to-end card payment system. As such, PCI compliance can only be obtained by the merchant in the context of their entire system. The merchant is also responsible for obtaining certification of their end-to-end system from a QSA (Qualified Security Assessor) or ASV (Approved Scanning Vendor).

Robustel devices are utilized in several PCI-compliant systems. This section provides a summary of Robustel features and capabilities that have been used by other customers to help achieve PCI Compli- ance for their end-to-end systems.

Reference Implementation

The following reference implementation represents a reasonably complex topology that includes:

  • Ethernet access for POS devices
  • Ethernet and Wi-Fi access for employee computers and printers
  • Ethernet and Wi-Fi access for other devices
  • Wi-Fi access for customers.
Recommendations

Wi-Fi: This interface can be firewalled and segmented just like any Ethernet or PPP interface. WPA/W- PA2/WEP security and MAC address filtering are also supported.

Cellular: The cellular PPP instance appears as a WAN interface and can be firewalled and segmented as needed. Interfaces can also be set to not allow management connections.

  1. Configure the router with the suitable firmware
  2. Change the default passwords
  3. Lock down the router entry points
  4. Configure the firewall
  5. Set up different network segments to different devices by VLANs
  6. Set up the segment of Wi-Fi, which is different from POS device
  7. Create secure WAN connectivity
  8. Configure communication with an external SysLog server
  9. Configure communication with an external Time server
  10. Monitor device usage with RCMS

Recommended Robustel Products for PCI DSS Applications

R2010

R2010 Product Page

R2011

R2011 Product Page

R1510

R1510 Product Page

R1520

R1520 Product Page

R3000

R3000 Product Page

R3000-Lite

R3000-Lite Product Page

Partner with Robustel: Compliance Forward IoT

PCI compliance is about more than just technology — it’s about ensuring every layer of your payment system is secure. Robustel’s routers, combined with our expertise and proven deployments in retail, banking, and service environments, give you the confidence to protect cardholder data while keeping operations seamless. Partner with Robustel today to strengthen your PCI compliance strategy and safeguard every transaction.