DOCSLIB.ORG

Partner Solutions EMV and P2PE / Seamless Integration

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Partner Solutions EMV and P2PE / Seamless Integration Partner solutions EMV and P2PE / seamless integration DOCUMENT D’EXECUTION INGENICO_CMJN.ai INFORMATIONS GENERALESCOULEURS UTILISEES APPROBATION Client: INGENICO Date : 10 DEC 2013 C 67/M 54 C 0/M 100 Utilisation: Impression quadri. J 47/N 43 J 100/ N0 Ne pas utiliser pour application écran. overview Accelerate implementation The Ingenico Group Partner Enclosed in this booklet are the To accelerate implementation Program provides our top three architectures used of these technologies, preferred of EMV and P2PE with merchants and partners with a in the enterprise to implement partners who use these flexible, seamless integration EMV and point-to-point architectures with Ingenico experience across the entire encryption (P2PE) technology Smart Terminals are presented. Ingenico Group Ingenico Group product line. within the context of PCI DSS compliance. Partner Solutions 01 02 PARTNER SOLUTIONS / ARCHITECTURE architecture architecture Integratedfully integrated solution Softwaresoftware semi-integrated semi-integrated solution Secure payment switch POINT OF SALE MERCHANT and decryption process DATA CENTER POINT OF SALE DATA CENTER PROCESSOR may take place in a BACK OFFICE secure data center at the processor, merchant premise or in a third party location Secure payment switch and decryption process emv ready emv ready may take place in a 3 secure 3 secure data center at the secure processor, merchant payment switch ingenico smart point of sale 1 ingenico smart 2 point of sale servers 1 payment switch premise or in a third terminals terminals party location 4 5 2 SW decryption process 5 isolated software decryption process agent Customer presents payment (magnetic stripe, chip, NFC/contactless, etc.) at the point of sale 1 4 5 using the Ingenico Smart Terminal. Card data is encrypted before it leaves the terminal. Customer presents payment (magnetic stripe, chip, NFC/contactless, etc.) at the point of sale 1 using the Ingenico Smart Terminal. Card data is encrypted before it leaves the terminal. 2 Encrypted card data and the authorization request are sent through the point of sale system. PROCESSOR Card data is encrypted and the authorization request is passed through the point of sale 3 Secure payment switch decrypts the card data. 2 hardware, but isolated from the point of sale software application using a separate application or software agent dedicated to secure PCI payment 4 Card data is sent to the processor for authorization. 3 Secure payment switch decrypts the card data. Authorization response is sent back to the point of sale through the Card data is sent to the processor for authorization. 5 4 point of sale infrastructure. Authorization response is sent back to the point of sale through the point of sale hardware 5 to the isolated software agent. 03 04 PARTNER SOLUTIONS / ARCHITECTURE Which solution is best for me for card data protection and EMV?* architecture All three solutions protect card data and provide a path Hardwarehardware semi-integrated semi-integrated solution for EMV and PCI DSS approval. POINT OF SALE MERCHANT PROCESSOR FULLY INTEGRATED SOFTWARE SEMIINTEGRATED HARDWARE SEMIINTEGRATED BACK OFFICE Leverages the point of sale and Leverages the point of sale and Ingenico Group or our partners networking hardware networking hardware provide an application in the infrastructure already in place infrastructure already in place terminal that contains the payment ow logic. Ingenico Group provides drivers Ingenico Group provides drivers to support point-to-point to support point-to-point Signicant Scope Removal. The emv ready encryption and EMV. encryption and EMV. point of sale software is removed from PA-DSS scope and the point 4 5 1 ingenico smart point of sale 6 servers Most of the point of sale The software application is of sale hardware is removed from terminals infrastructure must be qualied reduced from PA-DSS scope. PCI-DSS scope. Networking for PCI approval. The hardware will be under components used to move 2 review for PCI-DSS. encrypted card data will be The point of sale infrastructure reviewed as part of PCI-DSS. 5 must potentially be upgraded in Merchants should review how order to support point to point private label and loyalty card Network equipment may need to encryption or EMV. holder prompts and data are be upgraded handled. Merchants should review how Customer presents payment (magnetic stripe, chip, NFC/contactless, etc.) at the point of sale 1 using the Ingenico Smart Terminal. Card data is encrypted before it leaves the terminal. 3 secure Can be implemented as a private label and loyalty card payment switch Software-as-a-Service (SaaS) holder prompts and data are Encrypted card data and the authorization request are sent on an alternative path to the 2 solution handled. secure payment switch. Secure payment switch and decryption process 3 Secure payment switch decrypts the card data. may take place in a Can be implemented as a secure data center at the Software-as-a-Service (SaaS) processor, merchant 4 Card data is sent to the processor for authorization. premise or in a third decryption process solution party location 5 Authorization response is sent back to the point of sale. *statements apply to most enterprise merchants, systems and solutions in the US market today 6 Merchant point of sale and back ofce do not have access to sensitive card data. DATA CENTER = Supported Features = Points to Consider 05 06 PARTNER SOLUTIONS / ACI CERTIFIED INGENICO GROUP PAYMENT SOLUTIONS / iPP320, iSC250, iSC480 and iWL250 Solution Overview / ACI Universal Payments (UP) Retailer Payments solution provides retailers with an omni-payments platform that supports consumer payments from all channels. Whether the retailer is processing high volume credit and debit card based payments from thousands of retail locations, or deploying a pre-paid solution via a mobile wallet, ACI’s solution provides a platform capable of supporting these needs and beyond. ACI offers tokenization, point-to-point encryption (P2PE) and network segmentation options coupled with Ingenico Group’s standards based support for industry leading encryption technologies plus real-time eCommerce card not present (CNP) fraud prevention and detection. Architecture Used / Software Semi-Integrated Value Add / With nearly 40 years developing payments software, ACI is uniquely positioned in the marketplace with its UP Retailer Payment solutions to: • Guarantee a consistent, unified payment experience in any retailer modality (in-store, mobile, online) - with on-premise or hosted Software-as-a-Service (SaaS) options • Offer flexible architecture to support rapid adoption of emerging payment channels • Protect brand integrity and customer loyalty through a complete set of security technologies designed to protect sensitive payment data against risk and fraud Learn More / • Minimize risk and maximize compliance with a complete set of EMV-enabled services Contact Info / Karen Jarnecic, Director 1 402-670-6007 [email protected] 07 08 PARTNER SOLUTIONS / AURUS CERTIFIED INGENICO GROUP PAYMENT SOLUTIONS / iCMP, iCT250, iPP350, iSC250, iSC480, iSMP and RP750X Solution Overview / The AurusPay solution is a robust payment platform designed to securely manage the payment process from the Ingenico Group PIN pad to most major payment processors. AurusPay is implemented as a cost effective Software-as-a-Service (SaaS) platform, managing PCI and other payment regulation compliance such as EMV. The platform also helps retailer’s prepare for future payment innovation while enhancing the overall shopper experience. Architecture Used / Semi-integrated Value Add / Aurus continues to march forward on its growth trajectory with the addition of new service and solution delivery capabilities on a periodic basis. Building an innovative, intelligent and integrated enterprise is the guiding principle that propels us to move forward. • Manages payment security and compliance - “POS out of PCI Scope” with point-to-point encryption (P2PE), tokenization, and Aurus’s patented process • Enables payment innovation – EMV, NFC/contactless and mobile payments • Provides easy implementation with point of sale (POS) • Offers flexibility to choosing the payment processor(s) required for your business • Offers features that enhance the shopper’s experience • Accelerates development of POS omni-channel features • Lowers the risks and on-going development costs related to payments Learn More / Contact Info / Robert Wesley, Chief Strategy Officer 1 781-588-1575 ext. 115 [email protected] 09 10 PARTNER SOLUTIONS / AXIA Q4 2015 CERTIFIED INGENICO GROUP PAYMENT SOLUTIONS / iCMP, iCT Series, iPP Series, iSC Series, iWL Series and iSMP Solution Overview / Payment Fusion’s next generation, cloud-based, semi-integrated platform makes it a breeze for software vendors to support Ingenico Group EMV terminals. Our modern RESTful API supports all operating systems (Windows, OS X, Tablet, Linux, etc.) without the need to install software on the point of sale (POS) or additional hardware on the network. Architecture Used / Software Semi-Integrated Value Add / Payment Fusion, a new enhancement to our EMV-Ready solution provides a robust software platform to ease EMV readiness while offering hardware cycle management. • Cloud-based payment platform uniquely designed to enable EMV and NFC/contactless payments without any software client or network appliance • Eliminate PCI PA-DSS scope from your application • One API integration provides access to all major processors and all Ingenico
Load more

Recommended publications
  • GSR Service Repair Guide
    paypoint Implementation Guide 4.77 Implementation Guide paypoint version 5.08.xx, 5.11.xx, 5.15.xx, 5.16.xx 1 Introduction This PA-DSS Implementation Guide contains information for proper use of the paypoint application. Verifone Norway AS does not possess the authority to state that a merchant may be deemed “PCI Compliant” if information contained within this document is followed. Each merchant is responsible for creating a PCI-compliant environment. The purpose of this guide is to provide the information needed during installation and operation of the paypoint application in a manner that will support a merchant’s PCI DSS compliance efforts. 1.1 Audience The PA-DSS implementation guide must be read and understood by terminal operators including resellers, ECR integrators, support organizations and the merchant controlling the terminal. The guide should be used by assessors conducting onsite reviews and for merchants who must validate their compliance with the PCI DSS requirements. This implementation guide is reviewed annually and updated if needed due to changes in paypoint or the PCI requirements. Latest version is always made available on www.verifone.no and information about updates are sent in the release notes. 1.2 Payment Card Industry (PCI) Security Standard Council The PCI Security Standards Council is an open global forum, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements. 1.3 PCI DSS Secure payment applications such as paypoint must be run in a secure environment.
    [Show full text]
  • PCI PIN Transaction Security (PTS) Point of Interaction (POI)
    Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) Modular Security Requirements Version 4.0 June 2013 Document Changes Date Version Description February 2010 3.x RFC version April 2010 3.0 Public release October 2011 3.1 Clarifications and errata, updates for non-PIN POIs, encrypting card readers February 2013 4.x RFC version June 2013 4.0 Public release Payment Card Industry PTS POI Security Requirements v4.0 June 2013 Copyright 2013 PCI Security Standards Council LLC Page 1 Table of Contents Document Changes ................................................................................................................. 1 About This Document .............................................................................................................. 4 Purpose .................................................................................................................................. 4 Scope of the Document .......................................................................................................... 4 Main Differences from Previous Version ................................................................................. 5 PTS Approval Modules Selection ........................................................................................... 6 Foreword .................................................................................................................................. 7 Evaluation Domains ...............................................................................................................
    [Show full text]
  • View PIN Pad Security Best Practices
    PIN Pad Security Best Practices v2 PIN Pad Security Best Practices © Copyright, VeriFone, 2008 PIN Pad Security Best Practices v2 Introduction The payment industry and card associations adopted PED and PCI PED requirements because of concerns that sophisticated criminal organizations may have the resources to tamper with PED terminals to install a bug and collect private card data. In Pre PED devices, security features were left to each vendor to determine. The more recently adopted Visa PED and PCI PED requirements provide standardized security features that make tampering progressively more difficult. We are seeing an increase in criminal organizations targeting the less secure pre PED terminals by installing bugs to collect private credit card and debit information. In these cases, the criminal organizations are inserting a bug into an in-place device or obtaining the same terminal model that a retailer uses, installing a bug, and then substituting the tampered device for the retailer's terminals. They then either come back to retrieve these terminals to obtain the stolen information, or in some cases, the tampered terminals send the information to another computer via wireless communications. Due to repeated targeting of pre PED PIN pads and payment terminals, VeriFone has developed the following PIN Pad Security Best Practices. These best practices first enable a retailer to determine if any existing terminals have been tampered with, and second make tampering much more difficult by implementing a comprehensive set of security controls to prevent tampering and more quickly become aware if tampering has occurred. This document details the PIN Pad Security Best Practices from a sound security perspective to minimize fraud through education, routine inspection, vendor management, and prompt action.
    [Show full text]
  • A Guide to EMV Chip Technology November 2014
    EMVCo, LLC Version 2.0 A Guide to EMV Chip Technology November 2014 A Guide to EMV Chip Technology Version 2.0 November 2014 - 1 - Copyright © 2014 EMVCo, LLC. All rights reserved. EMVCo, LLC Version 2.0 A Guide to EMV Chip Technology November 2014 Table of Contents TABLE OF CONTENTS .................................................................................................................. 2 LIST OF FIGURES .......................................................................................................................... 3 1 INTRODUCTION ................................................................................................................ 4 1.1 Purpose .......................................................................................................................... 4 1.2 References ..................................................................................................................... 4 2 BACKGROUND ................................................................................................................. 5 2.1 What are the EMV Chip Specifications? ........................................................................ 5 2.2 Why EMV Chip Technology? ......................................................................................... 6 3 THE HISTORY OF THE EMV CHIP SPECIFICATIONS ................................................... 8 3.1 Timeline .......................................................................................................................... 8 3.1.1 The Need
    [Show full text]
  • PCI DSS V3.0 Compliance: a Closer Look at Requirement
    PCI DSS v3.0 compliance: A closer look at Requirement 9.9 – Payment Terminal Protection Copyright © Sysnet Global Solutions 2015. All rights reserved. PCI DSS v3.0: A closer look at Requirement 9.9 - Payment Terminal Protection Jason McWhirr CISSP, Information Security Consultant, Sysnet Global Solutions The reason for PCI DSS v3.0 Requirement 9.9 While EMV chip technology (chip & pin) and other technical measures have been effective at reducing card fraud in many countries across the world, criminals are increasingly resorting to physical attacks in order to steal cardholder data at the point of sale, or to devise new methods for data compromise. To address this risk, in 2009 the Payment Card Industry Security Standards Council (PCI SSC) issued their skimming prevention information supplements to help merchants protect themselves against cardholder data exposure caused by the use of skimming (tampering) and substitution techniques. However this was always best practice advice and was not enforced in the Payment Card Industry Data Security Standard (PCI DSS). However, the most recent PCI DSS, version 3.0, requirement 9.9 will now turn these best practices into enforceable requirements starting July 1st 2015. This is to ensure that merchants have controls and countermeasures in place to minimise their vulnerability to future attacks of this type. Does the new requirement affect you? Any merchant accepting face-to-face payments via a physical point of interaction (POI) device or terminal will need to adhere to the new PCI DSS regulations. These requirements state that all merchants must have controls in place to protect against direct physical tampering and substitution of their card-reading devices used in card-present transactions at the point of sale.
    [Show full text]
  • A Guide to Eliminating PA-DSS and Making EMV Easy
    FACT SHEET A Guide to Eliminating PA-DSS and Making EMV Easy Four major concerns of Value-Added Resellers (VARs), Independent Software Vendors (ISVs) and businesses that accept cards: The high cost of achieving and maintaining PCI, specifically PA-DSS; the risk and responsibility of handling card data; keeping up with card brand mandates and emerging payment technologies; and the high cost and complexity of developing and certifying EMV. Payments and PCI PA-DSS Scope Benefits of Getting Out of Scope DEFINITIONS Traditional POS system configuration: The VAR or ISV’s scope is eliminated if PIN pad sends the transaction to the all card acceptance and processing is Payment Card Industry Data POS system completed at the acceptance device Security Standard (PCI DSS) is a set of security procedures POS system sends the authorization There is no need for POS system to from the PCI Security Standards request to the acquirer and receives certify for PA-DSS validation Council for businesses that an authorization back from the acquirer PCI compliance and payment accept credit cards. It includes In this configuration, the POS system mandates are maintained by guidelines for user and business are in PA-DSS scope Heartland and our solution partners authentication, firewalls, and responsible for EMV certification Eliminating card data does not take antivirus, encryption, Out-of-Scope configuration: a business out of PCI scope but truncating account numbers, This takes the POS system out of the does eliminate their PA-DSS scope programming maintenance
    [Show full text]
  • Visa U.S. Merchant EMV Chip Acceptance Readiness Guide 10 Steps to Planning Chip Implementation for Contact and Contactless Transactions
    Visa U.S. Merchant EMV Chip Acceptance Readiness Guide 10 Steps to Planning Chip Implementation for Contact and Contactless Transactions Visa U.S. Merchant EMV Chip Acceptance Readiness Guide 10 Steps to Planning Chip Implementation for Contact and Contactless Transactions Contents About this Guide ........................................................................................................................................................................... ii What It Is ..................................................................................................................................................................................... ii Who Should Use It .................................................................................................................................................................. ii How It Is Organized ................................................................................................................................................................ ii 1. Introduction ............................................................................................................................................................................... 1 As the Payment Industry Evolves, So Should You ...................................................................................................... 1 It Is a Small Chip with Big Benefits ................................................................................................................................... 1 Visa’s
    [Show full text]
  • EMV Card Acceptance Using Sensible Terminal Version 4.1X
    EMV Card Acceptance Using Sensible Terminal Version 4.1x Featuring DataCap System’s Out-Of-Scope PCI Compliant Credit Card Processing Solutions dsiPDCXTM and dsiEMVUSTM with End-To-End-Encryption using the Verifone VX-805 PIN PAD and DataCap System’s In-Store NETePay/GIFTePay Server Revised July 7, 2016 Sensible Terminal 4.1 Frequently Asked Questions Card Acceptance 1. What do the terms “E2EE”, “EMV”, “PCI”, “DSS” and “OOS” mean? E2EE stands for the “End to End Encryption” Sensible Terminal 4.1 uses when paired with the Verifone VX-805 PIN Pad. From the time the card is Swiped, Dipped or Tapped, card data is encrypted until it reaches the payment processor, reducing the possibility of data theft along the way. EMV stands for the “Europay, MasterCard, Visa” consortium standardizing the use of a smart card chip which creates a unique transaction authentication on every sale making it nearly impossible to clone a chipped card from stolen cardholder information. Sensible Terminal 4.1 meets the PCI “Payment Card Industry” DSS “Data Security Standard” for an OOS “Out of Scope” payment application. Out of scope payment applications to do not handle sensitive card data and instead communicate with a PCI compliant encrypted PIN Pad which handles card data exclusively. The sale type and amount is passed from Sensible Terminal 4.1 to the PIN Pad which interacts with the cardholder and his card then returns an approval or decline to the payment application. This significantly reduces a merchant’s possibility of a data breach where cardholder data is stolen if the POS computer is compromised by a hacker.
    [Show full text]
  • EMV Testing and Certification White Paper: Current Global Payment Network Requirements for the U.S
    EMV Testing and Certification White Paper: Current Global Payment Network Requirements for the U.S. Acquiring Community Version 3.0 Date: December 2016 U.S. Payments Forum ©2016 Page 1 About the U.S. Payments Forum The U.S. Payments Forum, formerly the EMV Migration Forum, is a cross-industry body focused on supporting the introduction and implementation of EMV chip and other new and emerging technologies that protect the security of, and enhance opportunities for payment transactions within the United States. The Forum is the only non-profit organization whose membership includes the entire payments ecosystem, ensuring that all stakeholders have the opportunity to coordinate, cooperate on, and have a voice in the future of the U.S. payments industry. Additional information can be found at http://www.uspaymentsforum.org. Legal Notice Notwithstanding anything to the contrary in this document, each payment network determines its own testing and certification requirements, and all such requirements are subject to change. Merchants, acquirers, processors and others implementing EMV chip technology in the U.S. are therefore strongly encouraged to consult with their respective payment networks regarding applicable requirements. While great effort has been made to ensure that the information in this document is accurate and current as of the publication date, this information should not be relied on for any legal purpose, whether statutory, regulatory, contractual or otherwise, and all warranties of any kind, whether express or implied, are disclaimed, including all warranties relating to or arising in connection with the use of or reliance on the information set forth herein, and all warranties as to the accuracy, completeness or adequacy of such information.
    [Show full text]
  • EMF Implementing EMV at The
    Implementing EMV®at the ATM: Requirements and Recommendations for the U.S. ATM Community Version 1.0 Date: August 2014 Implementing EMV at the ATM: Requirements and Recommendations for the U.S. ATM Community About the EMV Migration Forum The EMV Migration Forum is a cross-industry body focused on supporting the EMV implementation steps required for global and regional payment networks, issuers, processors, merchants, and consumers to help ensure a successful introduction of more secure EMV chip technology in the United States. The focus of the Forum is to address topics that require some level of industry cooperation and/or coordination to migrate successfully to EMV technology in the United States. For more information on the EMV Migration Forum, please visit http://www.emv- connection.com/emv-migration-forum/. EMV is a trademark owned by EMVCo LLC. Copyright ©2014 EMV Migration Forum and Smart Card Alliance. All rights reserved. The EMV Migration Forum has used best efforts to ensure, but cannot guarantee, that the information described in this document is accurate as of the publication date. The EMV Migration Forum disclaims all warranties as to the accuracy, completeness or adequacy of information in this document. Comments or recommendations for edits or additions to this document should be submitted to: ATM- [email protected]. __________________________________________________________________________________ Page 2 Implementing EMV at the ATM: Requirements and Recommendations for the U.S. ATM Community TABLE OF CONTENTS
    [Show full text]
  • Moneris Merchant Resource Center User Manual 46
    Moneris® Merchant Resource Center User Manual (08/2019) Need help? Web: moneris.com/support Email: [email protected] Toll-free: 1-866-319-7450 Record your Moneris merchant ID here: ____________________________________ . Contents Activating Your Merchant Resource Center Store .......................................................... 6 Introduction .................................................................................................................................................... 7 Before you get started ................................................................................................................................. 7 Activating your Merchant Resource Center store ......................................................................................... 8 Ready to use the Merchant Resource Center? .............................................................................................. 9 Setting up Your PIN Pad .................................................................................................10 Moneris iPP320 PIN Pad ................................................................................................................................ 11 Before you get started ............................................................................................................................... 12 Hardware setup: iPP320 PIN Pad using USB cable connection .................................................................... 15 Hardware setup: iPP320 PIN Pad using serial cable connection
    [Show full text]
  • Visa Payment Acceptance Best Practices for U.S. Retail Petroleum Merchants DECEMBER 2018 Important Information on Confidentiality and Copyright © 2018 Visa
    Visa Payment Acceptance Best Practices for U.S. Retail Petroleum Merchants DECEMBER 2018 Important Information on Confidentiality and Copyright © 2018 Visa. All Rights Reserved. Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole or in part, to merchants, cardholders or any other person without prior written permission from Visa. The trademarks, logos, trade names and service marks, whether registered or unregistered (collectively the “Trademarks”) are Trademarks owned by Visa. All other trademarks not attributed to Visa are the property of their respective owners. Note: This document is a supplement of the Visa Core Rules and Visa Product and Service Rules. In the event of any conflict between any content in this document, any document referenced herein, any exhibit to this document, or any communications concerning this document, and any content in the Visa Core Rules and Visa Product and Service Rules, the Visa Core Rules and Visa Product and Service Rules shall govern and control. PG 1 PG Visa Payment Acceptance Best Practices for U.S. Retail Petroleum Merchants © 2018 Visa. All Rights Reserved. b Contents About This Guide . 1 Background ..................................................................................................... 1 Visa Card Benefits ............................................................................................... 1 Who
    [Show full text]