Security-Centric Payments

Because we provide a direct conduit between your POS app and the payment processor, transactions are not being re-routed by a third party, eliminating a potential breach point inherent in payment gateways. With options for encryption, tokenization and a full suite of US EMV apps in the pipeline, Datacap is the payments solution of choice for the security-conscious POS provider.  Over a third of all US data breaches occur at the POS, so it’s imperative that POS providers utilize security-centric payment solutions to protect consumer card data.

PA-DSS VALIDATED PRODUCT VERSIONS

NETEPAY™ - VERSION 5.06.10
TRAN™ PRODUCTS - APP VERSION 3.83

PA-DSS Validated Payment Applications (complete list)

Point-to-Point Encryption

Datacap offers both DirectP2PE™ and PCI-Validated Point-to-Point Encryption. P2PE significantly reduces the risk of payment card fraud by instantaneously encrypting confidential cardholder data at the moment a payment card is 'dipped' or swiped at the PIN pad (payment terminal) or point of interaction (POI).

DIRECTP2PE™

  • Data is encrypted at the point of interaction (POI) and decrypted outside of the Point of Sale environment (at the processor).
  • Utilizes proprietary encryption format specific to each processing platform.
  • No additional charge from Datacap for DirectP2PE™.
  • Available to Datacap POS partners without integration changes.
  • Non-validated P2PE due to unique format per processing platform.

PCI-VALIDATED P2PE

  • PCI-validated P2PE solution secures transactions by encrypting all data within a PCI-approved point of entry device, preventing clear-text cardholder data from being available.
  • Reduced PCI scope for the merchant (reducing SAQ questions by 90%).
  • Available to Datacap POS partners without integration changes.
  • Our PCI-validated P2PE solutions are available via gateway partner, Monetary


PCI-Validated P2PE FAQ:

What is PCI Validated P2PE?


As defined by the PCI Security Standards Council (PCI SSC), “Building upon the solid data and environmental security foundation established and promulgated by the PCI SSC for the payments industry via the PCI DSS, PA-DSS, and PTS, the P2PE Standard is a comprehensive set of requirements focused on providing the requisite security requirements necessary to support the deployment of secure P2PE solutions.”

The PCI Point-to-Point Encryption (P2PE) Standard was introduced in 2012. Datacap partner, Bluefin, became the first company in North America to receive PCI validation for a P2PE solution in March 2014. Today there are nearly 50 PCI-validated P2PE solution providers worldwide.

(via Bluefin)

What's the difference between DirectP2PE and PCI-Validated P2PE?


DirectP2PE:


PCI-Validated P2PE:

What is chain of custody?


A well documented device chain of custody process (shipping, deployment and management of devices; and the resulting reduction of PCI scope and the Cardholder Data Environment (CDE)) must be implemented to ensure that all Secure Cryptographic Devices (SCDs) are controlled from receipt through installation and use.

What does pci validated p2pE look like with Datacap?


1.) Point of Sale sends XML sale request or HTTP post to NETePay/GIFTePay.

2.) NETePay/GIFTePay communicate to EMV-enabled PIN Pad (encrypted with Bluefin’s P2PE key).

3.) Encrypted card data is passed from NETePay/GIFTePay directly to Monetary.

4.) Monetary takes encrypted data, sends to Bluefin’s Decryptx, who returns data to Monetary and then passes the data to the appropriate Processor.

5.) Response from the Processor is sent to Monetary.

6.) Approve, Decline, or Error response returned to Point of Sale and PIN Pad from NETePay/GIFTePay.

What does a PCI-validated P2PE solution have to include?


A PCI-validated P2PE solution must include all of the following:

1.) Secure encryption of payment card data at the POI / i.e., the payment terminal

2.) P2PE-validated application(s) at the POI

3.) Secure management of encryption and decryption devices

4.) Management of the decryption environment and all decrypted account data

5.) Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection and administration

(via Bluefin and PCI)

What are the benefits of a PCI-validated P2PE solution for merchants?


There are numerous tangible benefits merchants receive from using a solution that has been through the validation process.

PCI-Authorized Scope Reduction
Merchants who use a validated solution within their environment and keep this environment segmented from any card data from other channels (e.g., e-commerce) are eligible to complete the authorized self-assessment questionnaire SAQ P2PE that is known and accepted by all acquirers. Under PCI DSS v3.2, this represents a significant reduction of controls, reducing the number of questions by nearly 90% for merchants moving from the SAQ D (329 questions) to SAQ P2PE (33 questions).

Card Brand Programs
Visa Technology Innovation Program (TIP) Merchants who accept at least 75% of their transactions through a PCI-validated P2PE service may qualify to apply through their acquirer for the Visa TIP program, which allows approved merchants the ability to discontinue their annual assessment process to re-validate PCI DSS compliance.

Visa Secure Acceptance Program
This program incentivizes acquirers by providing safe harbor for fees in the event of a compromise for Level 3 and 4 card-present merchants who use a PCI-validated P2PE solution.

Solution for Challenging Compliance Issues
By encrypting all card data within a validated card reader before it passes through the mobile device, the consumer mobile device is rendered out of scope for PCI DSS compliance (so long as it is not used for any other payment function), ensuring compliant card acceptance via a consumer mobile device.

Foreign Networks
Because systems and networks between the encryption point and the decryption environment are no longer in scope due to the P2PE encryption, this unique advantage can address complex network responsibility challenges for some merchants.

(via Bluefin)

Out-of-Scope Interfaces

Datacap controls drive the card-entry device (PIN Pad, MSR, or NFC reader) directly, maintaining complete separation between your Point of Sale application and cardholder data. This means that you're no longer "payment aware" and therefore not subject to PA-DSS. No validation or PCI-DSS listing required for the POS provider.

 Out-of-scope interfaces
 Easy US EMV Transition

Easy Transition to US EMV

Because Datacap drives the PIN Pad on behalf of the POS application, the bulk of the EMV development and certification rests on our shoulders. As one of the few integrated payments middleware providers that supports Canadian EMV implementation, Datacap is an experienced partner for the US EMV rollout.

Tokenization and Encryption

Growing support for Point-to-Point encryption (P2PE) and tokenization (both multi and single-use tokens) with a variety of payment processing partners and hardware OEMs makes Datacap an ideal partner for the security-conscious POS provider.

 Tokenization and Encryption

Want to Learn More about Payments Security?