Advantages of cross-platform tokens
Cross-platform payment tokens protect payment data by replacing it with random characters, make PCI compliance easier, and make payment experiences easier, faster and more convenient.
Datacap offers both DirectE2EE™ and PCI-Validated Point-to-Point Encryption. P2PE significantly reduces the risk of payment card fraud by instantaneously encrypting confidential cardholder data at the moment a payment card is ‘dipped’ or swiped at the PIN pad (payment terminal) or point of interaction (POI).
As defined by the PCI Security Standards Council (PCI SSC), “Building upon the solid data and environmental security foundation established and promulgated by the PCI SSC for the payments industry via the PCI DSS, PA-DSS, and PTS, the P2PE Standard is a comprehensive set of requirements focused on providing the requisite security requirements necessary to support the deployment of secure P2PE solutions.”
The PCI Point-to-Point Encryption (P2PE) Standard was introduced in 2012. Datacap partner, Bluefin, became the first company in North America to receive PCI validation for a P2PE solution in March 2014. Today there are nearly 50 PCI-validated P2PE solution providers worldwide.
(via Bluefin)
DirectE2EE and PCI-Validated P2PE are both secure in nature because they both encrypt credit card data at the POI and decrpyt the data outside the Point of Sale environment. See the data flow diagrams below to understand the differences between DirectE2EE and PCI-Validated P2PE.
DirectE2EE:
1. Point of Sale sends XML sale request or HTTPS post to Datacap’s NETePay/GIFTePay.
2. NETePay/GIFTePay communicate to EMV-enabled PIN Pad.
3. Encrypted card data (using processor-proprietary encryption method) is passed from NETePay/GIFTePay directly to credit card processor.
4. Response from the Processor is sent to NETePay/GIFTePay.
5. Approve, Decline, or Error response returned to Point of Sale and PIN Pad from NETePay/GIFTePay.
PCI-Validated P2PE:
1. Point of Sale sends XML sale request or HTTPS post to Datacap’s NETePay/GIFTePay.
2. NETePay/GIFTePay communicate to EMV-enabled PIN Pad (encrypted with BlueFin’s P2PE key).
3. Encrypted card data is passed from NETePay/GIFTePay directly to NETePay Hosted.
4. NETePay Hosted takes encrypted data, sends to BlueFin’s Decryptx, who returns data to NETePay Hosted, who then passes the data to the appropriate Processor.
5. Response from the Processor is sent to NETePay Hosted.
6. Approve, Decline, or Error response returned to Point of Sale and PIN Pad from NETePay/GIFTePay.
A well documented device chain of custody process (shipping, deployment and management of devices; and the resulting reduction of PCI scope and the Cardholder Data Environment (CDE)) must be implemented to ensure that all Secure Cryptographic Devices (SCDs) are controlled from receipt through installation and use.
A PCI-validated P2PE solution must include all of the following:
1.) Secure encryption of payment card data at the POI / i.e., the payment terminal
2.) P2PE-validated application(s) at the POI
3.) Secure management of encryption and decryption devices
4.) Management of the decryption environment and all decrypted account data
5.) Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection and administration
There are numerous tangible benefits merchants receive from using a solution that has been through the validation process.
PCI-Authorized Scope Reduction
Merchants who use a validated solution within their environment and keep this environment segmented from any card data from other channels (e.g., e-commerce) are eligible to complete the authorized self-assessment questionnaire SAQ P2PE that is known and accepted by all acquirers. Under PCI DSS v3.2, this represents a significant reduction of controls, reducing the number of questions by nearly 90% for merchants moving from the SAQ D (329 questions) to SAQ P2PE (33 questions).
Card Brand Programs
Visa Technology Innovation Program (TIP) Merchants who accept at least 75% of their transactions through a PCI-validated P2PE service may qualify to apply through their acquirer for the Visa TIP program, which allows approved merchants the ability to discontinue their annual assessment process to re-validate PCI DSS compliance.
Visa Secure Acceptance Program
This program incentivizes acquirers by providing safe harbor for fees in the event of a compromise for Level 3 and 4 card-present merchants who use a PCI-validated P2PE solution.
Solution for Challenging Compliance Issues
By encrypting all card data within a validated card reader before it passes through the mobile device, the consumer mobile device is rendered out of scope for PCI DSS compliance (so long as it is not used for any other payment function), ensuring compliant card acceptance via a consumer mobile device.
Foreign Networks
Because systems and networks between the encryption point and the decryption environment are no longer in scope due to the P2PE encryption, this unique advantage can address complex network responsibility challenges for some merchants.
(via Bluefin)
1.) Point of Sale sends XML sale request or HTTP post to Datacap’s NETePay/GIFTePay.
2.) NETePay/GIFTePay communicate to EMV-enabled PIN Pad (encrypted with Bluefin’s P2PE key).
3.) Encrypted card data is passed from NETePay/GIFTePay directly to NETePay Hosted.
4.) NETePay Hosted takes encrypted data, sends to Bluefin’s Decryptx, who returns data to NETePay Hosted, who then passes the data to the appropriate Processor.
5.) Response from the Processor is sent to NETePay Hosted.
6.) Approve, Decline, or Error response returned to Point of Sale and PIN Pad from NETePay/GIFTePay.
The devices below can be used with Datacap’s PCI-Validated P2PE solutions. PIN Pads used with PCI-Validated P2PE solutions require specific encryption keys from distribution. Contact Datacap for more information.
Cross-platform payment tokens protect payment data by replacing it with random characters, make PCI compliance easier, and make payment experiences easier, faster and more convenient.
P2PE solutions must leverage optimal encryption methods, have a chain of custody that shows their authenticity, comply with PCI DSS, and be used within a secure payment environment.
ISVs and VARs need to take POS data security into account as they provide each component of their clients’ total solutions.
Payments integration has distinct advantages over non-integrated systems. With payments integration, merchants don’t have to wait for batch reports and then manually enter data into
PCI-validated P2PE (point-to-point encryption) is a vital part of a merchant’s network security strategy. Cybercrime is a continual threat to retailers, restaurateurs, and other consumer-facing
Cash may be king, but it’s also very costly for businesses. Could integrated payments make sense for your business?
100 New Britain Blvd.
Chalfont, PA 18914
Phone: 215-997-8989
E-mail: sales@dcap.com
Hours of operation:
Monday – Friday 8:30am to 5:30pm EST
Datacap supports regulatory best practices in ADA and EMV with support of the Kiosk Industry Group and the Kiosk Association (KMA). The KMA works directly with the U.S. Access Board and is a participating organization with PCI SSC.