Nets White paper, Compliance and PSAM terminals, June 2019
Nets White paper Compliance and PSAM terminals version 1.2, June 2019
Nets Group Page 1
Nets White paper, Compliance and PSAM terminals, June 2019
Introduction Nets payment terminals, named PSAM, are in use in the whole Nordics. Additionally, the PSAM terminal is also in use in other countries such as Germany and the Baltics using cross-border acquiring with the Nordic acquirers. The PSAM terminal compliance is kept up-to-date and Nets provides connectivity with all Nordic acquirers.
This white paper gives an insight into the compliance requirements and governance for payment terminals in the Nordics. The intent is to give merchants using PSAM terminals compliance insight into issues handled by Nets on behalf of the merchant.
In addition to the compliance issues handled by Nets, merchants need to address PCI DSS compliance as these requirements are not limited to the payment terminal only. However, since the Nets host environment is PCI DSS compliant and our PSAM terminals are PA-DSS and PNC E2EE approved, this compliance task has been made as smooth as possible for the merchant.
In addition to giving information on the terminal compliance, this document also gives background information why terminal software needs to be updated to maintain the compliance.
The white paper contains three parts: 1. The first part is about PCI requirements where the focus is on protecting card data and PIN codes. The list of abbreviations below give overview over the topics addressed. 2. The second part is addressing card scheme requirements set by Visa, MasterCard and the others. The focus is on how we address functional requirements related to how the cards are to be processed. 3. The third part gives input on new requirements that merchants have to address to protect card data and PIN codes. 4. The last part gives information about new EU regulations that affect terminals.
List of abbreviations • PCI – Payment Card Industry See: www.pcisecuritystandards.org/organization_info/index.php • PCI DSS - PCI Data Security Standard (Card data security) • PCI PIN – PCI PIN Security Requirements (Logical security) • PCI PTS – PCI PIN Transaction Security (Hardware security) • PA-DSS – Payment application Data Security Standard • QSA - Qualified Security Assessors • SAQ – Self Assessment Questionnaire • PNC – Pan-Nordic Card association See: http://pan-nordic.org/PanNordicCard/Home/Who-we-are.aspx • PNC E2EE – PNC End-to-End Encryption • 3DES – Triple DES Encryption
• CVM – Cardholder Verification Method
Nets Group Page 2
Nets White paper, Compliance and PSAM terminals, June 2019
Part 1 – PCI requirements
PCI DSS PCI DSS are technical and operational requirements set to protect cardholder data.
Nets do an annual certification of our secure handling of card data in the Nets environments. The auditing is performed by an external QSA auditor.
Up-to-date PCI DSS status of all agents are maintained and listed by Visa and MasterCard. You can find Nets listed as PCI-compliant service provider at both: www.visaeurope.com/receiving-payments/security/downloads-and-resources www.mastercard.us/en-us/merchants/safety-security/security-recommendations/merchants-need-to-know.html
Nets Group Page 3
Nets White paper, Compliance and PSAM terminals, June 2019
PCI PIN PCI PIN is security requirements for online PINs and encryption keys.
Nets do an annual review of the secure handling of online PIN and report the result to Visa Europe. The requirements of this compliance are documented here: www.pcisecuritystandards.org/documents/PCI_PIN_Security_Requirements_v2.pdf
PCI PTS PCI PTS is security requirements for terminal manufacturers focusing on hardware security – especially focusing on protection of cardholder’s PINs.
Most new terminals delivered by Nets are currently PCI PTS 3.x approved. These terminals can be installed until end of April 2020. It is expected that Visa Europe will set sunset date for them to be end of 2023.
Terminal models from Nets are in addition approved and registered to be compliant for the Nordic acquirers by the PAN Nordic Card association:
List 6 : Terminals, encrypting PIN pads and encrypting card readers that have been validated to fulfil the Security Design requirements (Security Design)
Nets terminals are also approved by the domestic card schemes BankAxept in Norway and Dankort in Denmark.
PA-DSS PA-DSS is a standard for software vendors that develop payment applications. The standard aims to prevent developed payment applications for third parties from storing prohibited secure data, such as card numbers.
Nets delivers currently PA-DSS version 3.0 approved software. This is approved for new installation until end of October 2019. The PCI SSC council have announced that PA-DSS and PCI DSS are mature standard, and they have stopped launching new major releases every third year. The latest version 3.2 are instead valid for three additional years and we will ensure that we have coming release approved according to that version during next year.
All the software approvals are available by searching for T2/CDP as an application name behind the following link: www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php?agree=true PSAM terminal software version 2.x.x.x are validated to PA-DSS v3.1 while software version 3.x.x.x is in process of being validated to PA-DSS v3.2. The older software versions that are not in active use anymore are shown under ” Acceptable only for Pre-Existing Deployments” on the same page.
The PA-DSS approval of the payment terminal enables our merchants to be PCI DSS compliant. The PA-DSS Implementation guide available from Nets informs what to do to as a merchant to enable for PCI DSS compliance. The guide includes a list with overview over versions and major PA-DSS changes. Below as an ex-ample of the list with current change.
SW PA-DSS Approval PA-DSS impact from PA-DSS High-impact Changes version References previous SW version 2.3.x.x 13-08.00284.006.eaa Low Impact change 2.2.x.x 13-08.00284.006.daa Low Impact change 2.1.x.x 13-08.00284.006.baa Annual Revalidation
Nets Group Page 4
Nets White paper, Compliance and PSAM terminals, June 2019
The most recent PA-DSS approval is shown below. It includes overview of the PCI PTS approved terminal types that it is approved for.
Nets Group Page 5
Nets White paper, Compliance and PSAM terminals, June 2019
Memberships Nets are a PCI Security Standards Council Participating Organization (PO). We are also technical associate at www.EMVco.org. The acquirer role ensures in addition that we are up to date with card scheme requirements. All these bring value into our solutions and ensure that we are up-to- date with coming requirements.
Nets Group Page 6
Nets White paper, Compliance and PSAM terminals, June 2019
Part 2 – Card scheme requirements
PNC E2EE Our PA-DSS approved software is additionally PAN Nordic E2EE approved, in order to further ease compliance for our merchants. The PNC E2EE compliance verifies that the terminals cannot expose card data and that card data sent to the Nets host is encrypted in such a way that decryption is not feasible.
The E2EE validation process is described here: www.pan-nordic.org/PanNordicCard/PCI- and-Security/Validation.aspx
Additionally, the E2EE approval self-contains verification of all the other compliance items described earlier in this document. An E2EE approved terminal is thus PCI PTS approved and is running towards a PCI DSS and PCI PIN approved host. The PNC E2EE certification process is supported by the Nordic acquirers and is regarded as “isolating terminals”. With the E2EE approval the Nordic acquirers regard that SAQ-D questionnaire is not needed, even when the terminal is used in the merchant’s network.
The Nordic acquirers normally expect SAQ-B or similar to be answered, when the terminal is E2EE approved. The SAQ-B is much shorter compared to SAQ-D. For large customers who need to use external QSA, it is up to the QSA to consider which SAQ to answer.
For info about SAQ, see: www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf www.pcisecuritystandards.org/documents/PCI-DSS-v3_2-SAQ-C.pdf
Unattended payment Terminals PNC expect that complete unattended machines are verified and approved. The following link gives information about this process: http://pan-nordic.org/PanNordicCard/PCI-and-Security/Validation.aspx
The last validation step in this process called “3 Use a secure exterior shield” under “Unattended payment Terminals (UPT)” has to be completed. BankAxept has specific requirements for PIN shield on UPT terminals in case of using the device in Norway.
Contactless Both Visa and MasterCard have mandated for contactless support for new merchants by end of 2015. This date is only for: • New merchants • Upgrade of terminals
The following is not in scope of this date: • Replacement of a faulty terminal • Change of acquirer • Existing merchant opening a new store • Change of the store owner
Nets Group Page 7
Nets White paper, Compliance and PSAM terminals, June 2019
All deployed terminals are to be contactless by end of 2019. We are happy to inform that all Nets PCI PTS 3.x devices are deployed with a con- tactless reader. This enables these devices to be in use until end of 2023 which is the expected sunset date.
The domestic schemes, BankAxept and Dankort, are in process with contactless support and both are supported by the PSAM terminals. We regard that this will significantly increase the interest for contactless support in these markets. https://www.nets.eu/no/payments/butikkbetaling/tilleggstjenester/kontaktlos-betaling/
The terminals need separate contactless kernels for each scheme they support. We are in process of implementing support for Expresspay (American Express), DPAS contactless(Diners) and QuickPass (China Union Pay). PSAM also support Dankort Mobile with NFC, BLE (Bluetooth low energy) and QR codes.
Transaction Processors The PSAM terminal application is approved by the card transaction processors. They execute approvals on behalf of the acquirers. These approvals include certification of chip and contactless transactions where each card brand have their own certification processes.
Contact transactions are handled by the PSAM chip. PSAM terminals are using PSAM versions 9.00.03 and 9.10.02 which are valid until 26/07/2021 and 18/01/2022 respectively. The PSAM versions and expiry dates are listed here: https://www.emvco.com/approved-registered/approved- products/
The PSAM terminal contains separate contactless kernels for each card brand. The application is currently using Visa payWave 2.1.3, MasterCard PayPass 3.1.1, Discover DPAS 1.0, Amex Expresspay 3.1, Interac 1.5 and JCB Jspeedy 1.3. The Interac kernel is for use by BankAxept contactless and JSpeedy is used for Dankort NFC/HCE. The updates to these contactless kernels are not scheduled and depends on the expiry of individual kernels.
We have currently completed approvals of the following configurations: • SIL - ECR integrated - payment application on terminal • SUT - Standalone - payment application on terminal • Split terminal - payment application on one terminal and pinpad/display used on another terminal • Hamag & Cryptera -unattended terminals
Nets Group Page 8
Nets White paper, Compliance and PSAM terminals, June 2019
Part 3 – New requirements
Network, Terminal management and Software updates The Nets host is available either via internet using secure access or via a closed network. With closed network the network provider has a direct connection to our host environment offered from their network provider.
The terminals are managed through Nets terminal management services. The terminal management service defines for example the region the terminal belongs to and the acquirer in use.
Terminal management is also responsible for upgrading terminal software remotely over the net- work. Nets ensure that the software uploaded to the terminal has completed the required certifications.
Visa has mandated that offline approval will only be allowed for contactless transactions from 18. October 2015. This implies a significant change especially for the Finnish and Swedish markets – where a majority of the transactions are with the Visa brand. Waivers allow for offline on domestic cards in Finland and Sweden for an interim period.
Nets Group Page 9
Nets White paper, Compliance and PSAM terminals, June 2019
Updates from the Merchant PCI DSS Compliance Requirements This section gives updates of merchant’s responsibilities in receiving a PCI DSS certification.
PCI DSS 3.0, that became effective in the beginning of 2014, includes a new requirement 9.9 that is mandatory from July 2015 onwards. This requirement focuses on the following: • Maintain list over devices • Periodical inspections • Training to detect attempt on tampering or replacement
We regard that the handshake mechanism that we have implemented for our integrated terminals give a good basis for fulfilling this new requirement 9.9.
Periodical inspection The ultimate responsibility for the protection of cardholder data, within a merchant’s equipment, lies with the merchant The intention is to ensure that merchants are better prepared for skimming attacks. We have lately experienced an attempt on an attack where a skinning device was attached to the chip card reader. For more info see here: https://www.nets.eu/no/payments/sikre-betalinger/terminal-skimming/
Steps to check Integrity of Devices PCI Small Merchant Guide to safe payment includes the following guideline:
Please note that a legitimate terminal may be swapped with a ghost terminal. Such a fake ghost terminal does not process any transaction and the sole purpose of a fake terminal is to collect card data and related PINs.
Nets Group Page 10
Nets White paper, Compliance and PSAM terminals, June 2019
Our hardware supplier Ingenico includes the following advice in their user guide document delivered with the terminals:
iPP350 terminal:
The iPP350 terminal offers the option to attach the cable to the terminal by two screws. This protect against rapid swap.
Nets Group Page 11
Nets White paper, Compliance and PSAM terminals, June 2019
Nets are aware of the availability for terminal stands that include Kensington locks to prevent theft or swap. We regard this as an added security that merchants could decide to make use of to reduce their risk. Be aware that the 9.9 requirements still need to be met even when using Kensington locks. The UK Cards Association writes:
Criminals will seek to test security controls in place to defend against attack. It is therefore of val- ue for each merchant to implement the details of their own controls as it makes it more feasible to keep them confidential.
The UK Cards Association has given the following advice:
Source: http://www.theukcardsassociation.org.uk/Terminals/terminal-security.asp
They also give the following advice:
Nets Group Page 12
Nets White paper, Compliance and PSAM terminals, June 2019
Part 4 – EU regulations https://www.nets.eu/no/payments/regler-og-vilkar/fritt-applikasjonsvalg/ https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015R0751&from=EN
Introduction – MIF/IFR A new EU regulation gives merchants the right to define which part of a combined payment card that is to be prioritized when customers pay by card. Currently, payment terminals are automatically prioritizing the domestic card schemes; Dankort in Denmark .
The EU regulation gives the cardholder the final decision authority, which implies that the card- holder can override the merchant’s card priority settings.
The EU regulation came into effect 9 June 2016 in Denmark. It comes into effect 1 November 2016 in Norway.
The PSAM application support payment card prioritization.
For more information, please see: www.nets.eu/terminaltjek www.dankort.dk/Pages/Dankort-eller-Visa.aspx Search for ”artikel 8” in: www.eur-lex.europa.eu/legal- content/DA/TXT/PDF/?uri=CELEX:32015R0751&rid=1 www.regjeringen.no/no/aktuelt/forskrift-om-formidlingsgebyr-i-kortordninger/id2506302/
The solution – MIF/IFR Below is a description on how we will enable the card holder to select application on PSAM Terminals. The basic principle of the solution is that the cardholder indicates that he wants to perform application selection. This is done by pressing the yellow CLEAR-button on the terminal.
For our application, it means we need to provide customer the choice of application selection in case of a multi-application card. VisaDankort is the Danish domestic card with two applications: Visa and Dankort. In Denmark, by default, domestic Dankort application gets selected. To adhere to the MIF regulations, the customer should be given a possibility to choose the Visa or Dankort application.
A workaround done is to provide the merchant with a key press that enables application selection for such a card.
Nets Group Page 13
Nets White paper, Compliance and PSAM terminals, June 2019
Part 5 – Guidance to merchants/integrators/resellers
Merchants should keep in mind that they should not leave the device unattended. There may be chances that legitimate terminal may be swapped with a ghost terminal. Such a fake ghost terminal does not process any transaction and the sole purpose of a fake terminal is to collect card data and related PINs.
The procedure of sending terminals for maintenance is that costumer contacts the Nets repair department. Customer informs all needed information together with terminal serial number and reason for needed repair.
For standalone terminals, the latest software version will be available on terminal management system and the terminals will be automatically updated. For integrated terminals, there is a cooperation between integrators and Nets Sales support where updates are provided for free to be used in test and pilot. The Nets IT-Verification needs to approve the entire setup with ECR and payment terminal. When the verification is approved the solution can be delivered to end costumers. Moreover, any relevant documentation and implementation guides can be requested from Nets Sales support and they will deliver these guidelines.
Part 6 – Information about Electronic Cash Resister (ECR)
The ECR protocol is a command/response protocol developed by Nets. The protocol is full-duplex, supported via RS232 (baud rates from 9,600 to 115,200, using 8-N- 1) and TCP/IP, and uses sequence numbering, CRC protection, ACK packets and up to three retransmissions at the link layer, in order to have a reliable communication.
At the application layer, the packet type is identified by a specific command number, and the receiving device must generate a corresponding response. Sales support in Nets Denmark is responsible for updating the ECR software to merchant in cooperation with integrators.
Nets Group Page 14
Nets White paper, Compliance and PSAM terminals, June 2019
Document Control Document Information Document Reference: Nets White paper, Compliance and PSAM terminals Document Location: Undisclosed
Summary of Changes Version Version Date Nature of Change Change Author Date Approved Number 1.2 27.06.2019 Added document history table Shamsher Singh 1.1 28.02.2019 Updated based on input from QSA Shamsher Singh 1.0 17.10.2018 Final version Shamsher Singh Added Part 5 & 6 Mayur Mahadik 0.1 01.09.2018 First Draft Shamsher Singh
Nets Group Page 15