Payment Terminal Security
- 13 Jun 2025
- 2 minute read
- Print
- DarkLight
- PDF
Payment Terminal Security
- Updated 13 Jun 2025
- 2 minute read
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
This article includes security information for Slate Payment Terminal, which can collect payments with both iPhone Tap to Pay and with dedicated hardware.
Compliance & information matrix
The following table demonstrates security features available for each type of payment collection in Slate:
Tap-to-Pay on iPhone | M2 Reader | BBPOS WISE | S700 | |
|---|---|---|---|---|
PCI Compliant | Yes | Yes | Yes | Yes |
Encryption Type | E2EE | E2EE | P2PE | P2PE |
Device in Scope | No | No | No | No |
Capture Initiation | Slate Mobile App (iOS only) | Slate Mobile App | Browser | Browser |
Method of Capture | NFC | NFC, swipe, dip | NFC, swipe, dip | NFC, swipe, dip |
MO/TO Capture | No | No | Yes | Yes |
Cost | $0 | $75 per reader | $300 per reader | $400 per reader |
Payment Terminal with dedicated hardware
When you use Payment Terminal with dedicated point-of-sale hardware, you benefit from
Both payment terminal devices connect to the internet and are P2PE (Point-to-Point Encryption) rated.
As soon as payment card data is entered, it is encrypted—before it even touches your network.
Raw cardholder data never traverses your network in an unencrypted form. Cardholder data is encrypted in a Hardware Security Module on the device before payment data is sent to Stripe and on to the card networks. No cardholder data is stored on the device and no sensitive cardholder data is transmitted to Technolutions / Slate.
Decryption happens off-network, preventing internal administrators or potential malicious actors from accessing unencrypted data.
Since the network never handles raw cardholder data, PCI DSS does not consider it part of the Cardholder Data Environment (CDE), reducing compliance burdens.
Because Slate is also internet-connected, the devices and Slate do not need to be on the same network.
Payment Terminal with Tap-to-Pay
When you collect a payment on an iPhone using Tap-to-Pay, the phone itself becomes the card reader, capturing the payment via near field communication (NFC).
This process occurs in the iPhone Secure Element (SE), a dedicated, industry-standard, certified chip dedicated to the storage of sensitive information, like payment credentials. The SE is isolated from the phone’s operating system.
The Tap to Pay process
From start to finish, the Tap to Pay process occurs as follows:
Before any payment is initiated, an Apple server confirms the collecting device meets certain criteria, like model number, iOS version, and whether a passcode has been set.
When you initiate a transaction using Tap to Pay, the SE chip takes over the NFC controller and reads the card. This card data is immediately encrypted and forwarded to Stripe.
Stripe requests the decryption key from an Apple server. The Apple server only issues this decryption key after validating the data and confirming the transaction was initiated in the last 60 seconds.
The Payment Service Provider—in this case, Stripe—is the only party with access to card data, and they finally access this data only from their secure back-end, following additional verification from Apple.
PCI scope
Neither the payment app on the iPhone, nor any iPhone applications, have access to card data or influence over the transaction. The payment app on the phone receives only a payment token, not actual card data.
For this reason, the user's phone is not considered to be within the scope of PCI.
Was this article helpful?
