An important concept that we’d like to cover when using something like this Chromebook here, in a PLS environment or in a corporate environment, is how do you implement your infosec requirements? How do you implement things like PCI compliance when your something like this device here, this Verifone device. It requires you to potentially abide by the PCI-DSS regulations. Those kinds of concepts can become difficult to implement on certain types of hardware that maybe weren’t designed with that in mind.
I’ll say this Chromebook is not necessarily designed with that in mind, and that’s why some of the price points are higher around some this POS equipment, is somebody else has decided that they’ve figured this all out for you, and here’s your device; whereas, in reality, it’s a lot more complicated than that. It’s a lot more complicated than just buy a device and it’s compliant with everything. So, at least in our case here, I’ll kind of go through a few of the pros and cons of this device.
Specifically, a lot of the pros on this device are it’s very flexible. You can do what you want to do with it. You can load Linux as we’ve done here. You can customize that Linux, you can harden it, you can set it up to your infosec requirements. You can meet PCI requirements with things like full disk encryption on here to protect the data coming from this device. There’s so much you can do on this device.
Some of the cons on this device are things like the actual firmware on here. You have to jailbreak this hardware to get into the device, so in that instance, you have to identify that as a risk and mitigate that risk, and in essence, if you’re in the PCI world, mitigation of that risk comes with full disk encryption. You’re probably going to have to employ that because you can’t actually restrict the user from booting devices on this device unless you do a lot more work with the actual basic biosystem itself.
So, coming from a PCI standpoint, you’re going to get asked a lot of questions. A lot of these questions are difficult to answer because they’re designed to test and challenge you. From our perspective, we’ve been working with PCI compliance for a very long time, over a decade now. This device specifically, with full disk encryption, with a lot of the other features and hardening that we’ve put into it, would meet a PCI requirement.
That’s where you can kind of step back and go, “Wow, I can look at something that’s maybe not $1,500.00, but could still be a POS device, and could still meet these requirements.” Of course, that requires an understanding of those regulations and how to properly employ them onto a device like this, and also what ones are you required to meet. So, there are certain DSS regulations you might not be applicable to, so understand that so you’re not trying to break your back on a device like this to do something you necessarily don’t need to do.
That’s something that we here at South Seas Data like to try and understand, and have the knowledge on so that we can help our customers with that stuff.