NCR Secure Pay FAQ Updated June 12, 2014

Transcription

1 NCR Secure Pay FAQ Updated June 12, 2014 Contents What is NCR Secure Pay?... 1 What is the value of NCR Secure Pay?... 2 Host-based Settlement... 2 Token Replacement... 2 Point-to-Point Encryption (P2PE)... 2 Getting Started with NCR Secure Pay... 3 NCR Counterpoint Gateway... 4 Why switch to NCR Secure Pay?... 4 How is NCR Secure Pay different from NCR Counterpoint Gateway?... 4 NCR Counterpoint Mobile... 5 NCR Retail Online... 6 P2PE Hardware FAQ... 6 Europay, MasterCard, Visa (EMV)... 8 Additional Questions... 9 Secure Pay Details... 9 Processors Card Settlement and Manual Card Entry Connectivity What is NCR Secure Pay? NCR Secure Pay allows you to process payments in a PCI-DSS compliant and secure manner. This hosted electronic payment gateway works with NCR Counterpoint and NCR Retail Online for credit cards, debit cards, and stored value cards (gift cards). NCR Secure Pay helps you minimize your risk for a credit card security breach by taking credit card storage out of your local system and moving it to our NCR Secure Pay host. Big box stores aren t the only ones affected by security breaches; retailers of all sizes need to be aware of how to protect their businesses. Credit Card data breaches are expensive - even a modest exposure of 50 customer credit card numbers can result in unplanned costs of $10,000 or more in penalties, fees, time expenditure, and, the most difficult to quantify: reputation. (Source for penalty data)

2 What is the value of NCR Secure Pay? NCR Secure Pay was built to provide a hosted payment processing platform offering the highest level of payment security. It is our next generation gateway product to NCR Counterpoint Gateway. In addition to supporting additional processors, NCR Secure Pay also provides additional security measures including Token Replacement and Point-to-Point Encryption (P2PE), which is available when NCR Secure Pay-encrypted hardware is used. Host-based Settlement NCR Secure Pay uses host-based settlement, which stores transaction information at NCR s host, rather than your NCR Counterpoint installation, until settlement. This provides flexibility allowing settlement to be easily automated from the host or initiated from any web browser by using the NCR Secure Pay merchant portal. Token Replacement NCR Secure Pay automatically utilizes token replacement, also known as tokenization, which allows NCR Counterpoint to store a token instead of an actual card number. The card number is stored at the NCR Secure Pay host in its encrypted database. This functionality is used to securely store a customer's card number for future purposes such as validated returns and card-on-file transactions. Point-to-Point Encryption (P2PE) Point-to-point encryption (P2PE) ensures sensitive credit and debit card data is protected from first card swipe, while in transit, all the way to the NCR Secure Pay host. State of the art encrypting devices encrypt cardholder information prior to performing an electronic payment transaction. These sophisticated devices use strong encryption and industry standard key management technologies to encrypt and transmit cardholder data securely over any network. NCR Secure Pay provides point-to-point encryption for credit and debit transactions when an encrypting MSR is used. The MSR hardware is injected with NCR Secure Pay encryption keys, so NCR Counterpoint never has the actual card information. Only the NCR Secure Pay host has the keys to decrypt the data before sending it to the processor. What are the benefits of P2PE? Credit card data is encrypted throughout its lifecycle in your environment, increasing security, and reducing the risk of a credit card data breach. What are the requirements for P2PE? You will need to use an NCR Secure Pay encrypting MSR to take advantage of P2PE. What are the implications of P2PE on PCI Compliance? The merchant should still assume that they need to complete self-assessment questionnaires regularly as a part of their PCI compliance efforts. However, use of P2PE and token replacement should result in decreased scope for PCI.

3 Getting Started with NCR Secure Pay How do I sign up for NCR Secure Pay? You can register online through the NCR Counterpoint User Portal: Do I need to buy new hardware to use NCR Secure Pay? No, you do not need new hardware to start realizing the benefits of tokenization and hosted settlements with NCR Secure Pay. However, if you would like to take advantage of P2PE offered with NCR Secure Pay, you will need to have NCR Secure Pay encrypted hardware. Find more details in the P2PE Hardware FAQ on page 6. What are the requirements for taking advantage of NCR Secure Pay? NCR Counterpoint: You must be using NCR Counterpoint version or higher to take advantage of NCR Secure Pay. In order to utilize the point-to-point encryption (P2PE) capabilities of NCR Secure Pay, you will also need to purchase NCR Secure Pay encrypting MSRs from NCR that have been injected with NCR Secure Pay encryption keys. NCR Retail Online (NRO): Credit card processing through NCR Retail Online will always be done using NCR Secure Pay. What is the pricing for NCR Secure Pay? The pricing for NCR Secure Pay is the same as it was for NCR Counterpoint Gateway: Description Standard NCR Merchant Solutions Activation Fee $150 $100 Transaction Fee Up to 4,000 / month Up to 7,000 / month More than 7,000 / month More than 15,000 / month Up to 2,000 / month, avg ticket under $40 $0.075 $0.07 $0.06 Request Quote Request Quote $0.05 $0.04 $0.04 Request Quote Request Quote Minimum Monthly Fee $20 $15 Minimum Inactive Fee $5 $5 What is the billing process for NCR Secure Pay? You will receive a monthly invoice for NCR Secure Pay. What is the URL for the NCR Secure Pay Merchant Portal?

4 NCR Counterpoint Gateway Why switch to NCR Secure Pay? For the same price, NCR Secure Pay offers a PCI compliant electronic payment processing solution with access to an expanded list of processors and added security features, including Tokenization and Pointto-Point Encryption (P2PE) that are not available with NCR Counterpoint Gateway. Pricing for NCR Secure Pay is not affected by whether NCR Secure Pay encrypting hardware is used. P2PE encrypting hardware for NCR Secure Pay cannot be purchased on the open market and must be purchased directly from your NCR Authorized Partner. Please note that you do not need new hardware to start realizing the benefits of tokenization and hosted settlements with NCR Secure Pay. However, if you would like to take advantage of P2PE offered with NCR Secure Pay, you will need to have NCR Secure Pay encrypted hardware. Find more details about P2PE Hardware on page 6. How is NCR Secure Pay different from NCR Counterpoint Gateway? Added Functionality:. NCR Secure Pay offers Point-to-Point Encryption (P2PE) with encrypting MSR hardware which ensures credit card data is encrypted throughout its lifecycle in a merchant s environment, increasing security. NCR Counterpoint Gateway does not. NCR Secure Pay offers token replacement to NCR Counterpoint in cases where encrypted credit card data would typically be retained. NCR Counterpoint Gateway does not. NCR Secure Pay offers an expanded list of Credit Card and Gift Card processors. See our full list of Processors on page 10. Other Differences: NCR Secure Pay offers host-based settlement (NCR Counterpoint Gateway uses terminal-based settlement) which adds to system security by removing all cardholder data from the NCR Counterpoint database and allows settlement to be easily automated from the host or initiated from any web browser by using the NCR Secure Pay merchant portal. NCR Secure Pay is hosted in NCR's Beltsville, Maryland data center, while NCR Counterpoint Gateway is hosted in NCR's (formerly Radiant's) Dallas Data Center. NCR Secure Pay uses a third-party processing engine, Monetra, from Mainstreet Software, while NCR Counterpoint Gateway was written internally. For customers with multiple locations, each location will have its own separate merchant with the processor. A separate NCR Secure Pay account is also required for each location. These accounts can be configured on the NCR Counterpoint User Portal ( Some transaction behaviors are different with NCR Secure Pay: o Sale transactions originating at an NCR Secure Pay store can be refunded at a different NCR Secure Pay store using a validated return but the refund will be applied to the store that originally created sale. This behavior is not consistent with NCR Counterpoint Gateway. o Orders created at an NCR Secure Pay store with a final payment card recorded can be released at a different NCR Secure Pay store but the final payment will be applied to the store that created the order. Again, this behavior is not consistent with NCR Counterpoint Gateway.

5 o Orders created at an NCR Secure Pay store with a final payment card recorded can accept deposits using the final payment card at a different NCR Secure Pay store, but the originating store will receive the deposit. o Note: Transactions originating at a NCR Counterpoint Gateway store can be completed at NCR Secure Pay stores since the stored credit card number can be used against NCR Secure Pay. The store receiving the charge in these transactions is the store completing the transaction. This behavior is consistent with NCR Counterpoint Gateway behavior today. NCR Counterpoint Gateway has support for dial back-up via CPDialup. With NCR Secure Pay to achieve dial back-up, you will need to use an ISP that supports dial back-up using a router. NCR Counterpoint Gateway supports check validation and EBT. NCR Secure Pay does not support either. NCR Counterpoint Gateway is integrated with Counterpoint V7 and NCR Counterpoint Online (CPO). NCR Secure Pay is not integrated with either. Are there any differences in speed between NCR Secure Pay and NCR Counterpoint Gateway? We have not benchmarked authorization speed yet, but we expect the processing time to be comparable as most of the time spent processing a transaction is with the processor, not NCR Counterpoint Gateway or NCR Secure Pay. What is the future of NCR Counterpoint Gateway? There is no plan to stop supporting NCR Counterpoint Gateway and force merchants to use NCR Secure Pay at this time. Merchants can keep using NCR Counterpoint Gateway, although new merchants will sign up for NCR Secure Pay by default, and NCR Retail Online merchants will be required to use NCR Secure Pay. NCR Counterpoint Gateway will be available at least through the end of 2015 to support Counterpoint V7, which will not interface to NCR Secure Pay. How do I move from NCR Counterpoint Gateway to NCR Secure Pay? First, you will need to ensure you are running version or above of NCR Counterpoint. To make the move you will initiate sign-ups for NCR Secure Pay on the NCR Counterpoint User Portal: The sign-up fee for NCR Secure Pay is waived for merchants who move from NCR Counterpoint Gateway to NCR Secure Pay. Please use the promo code in the you received or contact tracy.cain@ncr.com to get a promo code to waive the sign-up fees. While you do not need new hardware to start realizing the benefits of tokenization and hosted settlements with NCR Secure Pay, if you would like to take advantage of NCR Secure Pay's P2PE capabilities, you will need to have NCR Secure Pay encrypted hardware. NCR Counterpoint Mobile Will NCR Secure Pay work with CPMobile? Yes. However, point-to-point encrypting MSRs for IOS devices are not available for use with NCR Counterpoint Mobile yet. We do not yet have a projected date for their availability.

6 NCR Retail Online How does NCR Secure Pay work with NCR Retail Online? NCR Retail Online uses what is known as the direct post method to access NCR Secure Pay. This means that when a customer creates an order on an NCR Retail Online site, the payment card information will be sent directly into the NCR Secure Pay host, and not the NCR Retail Online platform/application. Credit card settlement then happens at the host manually or on a scheduled basis as configured on the NCR Secure Pay merchant portal. The interface between NCR Retail Online and NCR Secure Pay is an NCR-developed and owned "extension" of Magento Community Edition. To process credit cards on NCR Retail Online, you must use NCR Secure Pay. What is the benefit of using NCR Secure Pay with NCR Retail Online? With the "direct post" method of processing card information, the NCR Retail Online platform does not retain the credit card data and is out of scope for PCI purposes. Where do I settle my NCR Retail Online credit cards? You will login to the NCR Secure Pay merchant portal ( and initiate settlement manually or schedule settlement to happen at a pre-defined time every day. If I am using NCR Retail Online, does my NCR Counterpoint site have to use NCR Secure Pay as well? No. The implication of having this "split" environment is that there will be two settlements - one from NCR Secure Pay (for NCR Retail Online transactions) and one from NCR Counterpoint Gateway (for NCR Counterpoint transactions). This split settlement will be required until general release of NCR Secure Pay in 2014, and you will receive two invoices each month. Can I still use NCR Counterpoint Gateway with NCR Retail Online? No. NCR Retail Online is not integrated to NCR Counterpoint Gateway. I am a legacy Counterpoint Online customer. Can I use NCR Secure Pay? You can use NCR Secure Pay for NCR Counterpoint; however, you cannot use NCR Secure Pay for your Counterpoint Online site. We are not planning to integrate NCR Secure Pay with Counterpoint Online. If you use NCR Counterpoint Gateway for credit processing with Counterpoint Online and NCR Secure Pay for use with NCR Counterpoint, there will be two settlements, deposits, and monthly bills, one for each gateway. P2PE Hardware FAQ What hardware is available to take advantage of NCR Secure Pay's Point-to-Point Encryption capabilities? For pilot, only the MagTek Dynamag MagneSafe USB MSR is available, as of May 20, Our plans are as follows for NCR Secure Pay's General Release a. USB MSR: MagTek Dynamag MagneSafe USB MSR (Manufacturer model number ) b. Signature Capture, MSR, and PIN Debit: Ingenico isc250 c. POS Terminal HW: R7

7 How does the key injection process work for hardware that is injected with NCR Secure Pay encryption keys? Do I have to do anything to turn on encryption at the site? MSR Hardware must be injected with keys from the NCR Secure Pay hosts in order to do Point-to-Point Encryption with NCR Secure Pay. This ensures that data encrypted by the hardware can only be decrypted by NCR Secure Pay. The process is very similar to debit pin pad encryption, except rather than encrypting for a certain processor, we are encrypting for NCR Secure Pay. Encrypting MSR hardware must be purchased through your NCR Counterpoint Business Partner and will come with keys injected already. There is no onsite effort to turn on NCR Secure Pay P2PE encryption for equipment that is ordered from NCR with NCR Secure Pay encryption. Note: if you are using PIN debit, your hardware devices must also be injected with debit keys for your processor. Is hardware maintenance available for encrypted NCR Secure Pay hardware? Yes, the same hardware maintenance options that are available for non-encrypted hardware are available for encrypted NCR Secure Pay hardware. Which NCR POS terminals will have encrypting MSRs built-in for use with NCR Secure Pay? The R7, piloting in Q and generally available in Q4 2014, will definitely have an NCR Secure Pay built-in MSR option. The P1530 platform is currently being reviewed for feasibility of including an NCR Secure Pay built-in MSR. What is the timeline for the P1530 with NCR Secure Pay encrypting readers built-in? We are currently reviewing whether a P1530 solution with built-in NCR Secure Pay readers is feasible. Our new R7 POS will have the option of an NCR Secure Pay encrypting built-in MSR. If you hand-key a credit card number into an encrypting Ingenico device, will it be encrypted? Yes. The requirements provided to Ingenico for the isc250 encryption include encryption of manually keyed card numbers using NCR Secure Pay encryption. If you hand-key a credit card number into an encrypting Ingenico device or directly into NCR Counterpoint, will it be tokenized? When a cashier manually enters a credit card number on a ticket in a Secure Pay environment, tokenization will still occur. Even for manually-entered credit card numbers, the credit card transaction is stored in the NCR Secure Pay host database. After settlement, the data will be stored for one year in the Secure Pay host database, after which validated returns will no longer recognize the card number that was used in the original purchase. Does the encrypted card number go through the NCR Counterpoint server? When NCR Counterpoint uses NCR Secure Pay for credit processing, credit card information goes directly from the NCR Counterpoint workstation to the NCR Secure Pay host, and does not go through the NCR Counterpoint server. If I change processors do I need new hardware? Each PIN debit device is injected with separate keys for PIN encryption. NCR Secure Pay cannot decrypt PINs. If you change processors, and are using PIN debit, you will need to obtain new PIN pads or have your existing hardware re-injected with new PIN debit keys.

8 Can I have a mix of NCR Secure Pay encrypted hardware and non-ncr Secure Pay encrypted hardware? Yes. In a mixed scenario, NCR Secure Pay encrypting HW will offer Point-to-Point Encryption, and nonencrypting HW will use our standard NCR Counterpoint security measures. Since not all data entering the system is NCR Secure Pay encrypted, the site will not realize the full benefit of P2PE. Who issues the encryption key and holds the private decryption key? The NCR Secure Pay host issues the encryption key that is injected into the encrypting payment device, and the NCR Secure Pay host also retains the private key. That key is either injected by NCR or securely transmitted to an alternate HW vendor for injection into the device. NCR Secure Pay s Hardware Security Module (HSM), stores all key materials to perform cryptographic operations. Europay, MasterCard, Visa (EMV) What is EMV? EMV is a set of global standards for electronic payment cards utilizing an embedded processor on the physical payment card rather than a magnetic stripe on the back of a payment card, as is standard in the United States payment industry today. What are the benefits of EMV? Because of the smart card processor embedded in the payment card and the hardware required to read the card, creation and use of fraudulent cards is much less likely. Also, the consumer retains possession of cards at all times during a transaction, increasing security of the individual transaction. Am I required to support EMV? Processors were mandated to support EMV in April 2013 and merchants will be required to accept EMV in October 2015, or risk being financially liable in the event that a fraudulent card is used in the merchant s location. What is NCR s plan to support EMV? NCR Secure Pay development of EMV support is currently in progress. We expect to begin certifying processors with NCR Secure Pay in Q The Ingenico isc250 hardware platform already supports EMV with both signature and PIN from a manufacturer s standpoint and we will be adding support for these EMV capabilities in NCR Counterpoint. A device software update will be needed for any Ingenico isc250s in the field today in order to support EMV. EMV support through NCR Counterpoint using NCR Secure Pay and the Ingenico isc250 will be released in Is specific hardware required for EMV? Yes. EMV support will require using the Ingenico isc250. A device software update will be needed for any Ingenico isc250s in the field today in order to support EMV, but additional injection of keys in a secure facility is not required for EMV. How does supporting EMV impact PCI-DSS compliance? Currently, there is no overlap between PCI-DSS compliance and EMV. Support for EMV will required in 2015 and will help with liability in the event a fraudulent card is used.

9 Additional Questions Secure Pay Details What is the Monetra Processing Engine? NCR Secure Pay uses the Monetra processing engine (sometimes referred to as a 'gateway' or 'switch') to interface to credit, debit, and gift card processors. Monetra is a PA-DSS validated payment engine from Main Street Software, which will be hosted in a PCI compliant data center. Monetra does not have a web interface, so NCR has developed a browser-based Merchant Portal to allow merchants to configure their processing accounts. Merchants will also be able to schedule unattended settlement and have the results sent via . Where is NCR Secure Pay hosted? NCR Secure Pay is hosted in NCR's Beltsville, MD Data Center. The data center has the following Certifications/Standards/Compliance: d. SSAE 16 e. SOC 2 Type 2 f. PCI-DSS (Service Provider) on NCR Secure Pay platform g. ISO certified in Beltsville and at the Disaster Recovery site in Mason, Ohio h. FFIEC conducts an annual review of 4 weeks duration on behalf of financial institutions with a presence in the facility Is NCR Secure Pay PCI compliant? Yes Does using NCR Secure Pay make mea merchant PCI compliant? Use of NCR Secure Pay, even with NCR Secure Pay encrypting hardware and token replacement, does not automatically mean that a merchant isyou are PCI compliant, nor does it take a merchant's your site out of scope for PCI compliance, although its use is expected to reduce scope for PCI and make PCI compliance easier to obtain. PCI has developed requirements regarding End-to-End Encryption validation (also known as Point-to-Point Encryption), and we are working closely with our QSA, Coalfire, who sits on the PCI advisory board, to stay up-to-date on changes in this area and determine if the benefits of PCI P2PE validation outweigh the cost to the merchant of that certification. When using NCR Secure Pay, is credit card info (card #, exp date, etc.) stored in the NCR Counterpoint database? No cardholder data or sensitive authentication data is stored including card numbers and expiration dates. This is the primary benefit of tokenization.in addition to storing a token which will allow you to access transaction information for returns and other operations, you will have masked card information. NCR Secure Pay sends the first 6 and last 4 digits of the credit card as well as the expiration date and cardholder name which are useful in transaction lookups and reporting. Does NCR Secure Pay handle final payment processing on orders and layaways? Yes, final payment for orders and layaways will use tokenized credit card data. With P2PE, will I still have access to partial card number information for receipts and lookups? With P2PE MSRs, the MSR passes us both an encrypted credit card number, as well as masked credit card number for credit card look-ups, printing on receipts, etc.

10 Processors What types of payment transactions and processors are supported by NCR Secure Pay? Credit Card, PIN Debit Card, and Stored Value Card transactions (Gift Card transactions where Counterpoint Gift Cards are not used). Does NCR Secure Pay support every credit processor, gift card interface, and check processing host that is listed on the Monetra website ( NCR Secure Pay does not support all Monetra processors. We will first focus on delivering interface compatibility similar to NCR Counterpoint Gateway, along with new strategic processors. Support for additional processors will be added over time. Which processors are supported by NCR Secure Pay, with what capability, and when? Available at General Release July 31, 2014: Processor Name Credit PIN Debit Stored Value Cards Cards NCR Merchant Solutions (WorldPay/Lynk) First Data North (Cardnet) Chase Paymentech TSYS/Vital/VisaNet First Data South (Nabanco) Stored Value Systems (SVS) Elavon (Nova) * Mercury Payment Systems * Vantiv (Fifth Third Bank) * *Not supported with NCR Counterpoint Gateway. New for use with NCR Counterpoint! Future, Post-General Release Dates for Availability TBD: Processor Name Credit PIN Debit Stored Value Cards Cards First Data Omaha (ETC+) * Heartland Payment Systems * Elavon (Nova) * Mercury Payment Systems * Vantiv (Fifth Third Bank) * Global Payments * Givex * Chockstone Gift Valutec * *Not supported with NCR Counterpoint Gateway. New for use with NCR Counterpoint!

11

12 Card Settlement and Manual Card Entry How do I settle credit cards with NCR Secure Pay? Can I do automated settlements? You can log into the NCR Secure Pay merchant portal and initiate settlement manually or schedule settlement to happen at a pre-defined time of your choosing every day. What is the difference between host-based and terminal-based credit card settlement? The terms host-based and terminal-based refer to where the transactions are stored after authorization until they are settled. Terminal-based settlement requires the client application (NCR Counterpoint) to store transactions including card numbers and send all batch details to the host at time of settlement. Host-based settlement uses the same data but relies on the host to store the transactions. Settlement can occur purely on the host without the need for any additional data from NCR Counterpoint. This allows for settlement to be easily automated from the host or initiated from any web browser by using the NCR Secure Pay merchant portal. NCR Secure Pay can be considered a host-based system since it stores the transactions until settlement. Note that Monetra uses both terminal-based and host-based processor interfaces depending on the processor, but it is still a host-based system from NCR Counterpoint's perspective. Does host-based settlement completely remove authorizations from NCR Counterpoint? With host-based settlement, transaction data can be retained and later used for things like Validated Returns, but the actual credit card information is tokenized in those transactions. How does host-based settlement affect the card-on-file functionality in NCR Counterpoint for monthly billing? NCR Secure Pay supports tokenization which allows NCR Counterpoint to store a token instead of an actual card number while NCR Secure Pay stores card numbers in its encrypted database. This token allows for card-on-file transactions. What kind of settlement reporting does NCR Secure Pay have? Full reporting including transaction detail is available via the NCR Secure Pay merchant portal. What access do I have to credit card transaction information with NCR Secure Pay? You have online access, via the NCR Secure Pay merchant portal, to all credit card transaction information except full card numbers. Will manual entry of credit card numbers be possible in NCR Counterpoint using NCR Secure Pay? Yes. If you are using Ingenico isc250's for P2PE, you can maintain P2PE by having users enter credit card numbers manually on the Ingenico isc250. There is no provision for maintaining P2PE by entering credit card numbers manually into the NCR Counterpoint software. While NCR Counterpoint will not store the credit card numbers unencrypted if entered manually, the software will have knowledge of the credit card number before encrypting it. That said, if P2PE is not a concern, then manual entry in Counterpoint is still available functionality.

13 Connectivity Is there a dial-up option for NCR Secure Pay? (Related: If I am using NCR Secure Pay and lose access to it through a lost connection on my end or the host end, what alternatives do I have for taking payments?) Any high speed Internet connection can be used. Some routers offer automatic dial-up failover in case of a broadband connectivity failure. How reliable/available is NCR Secure Pay? Are there any availability or uptime guarantees? Our target is 99.99% or better application availability, which is less than an hour of unplanned inaccessibility per year. There are no availability or uptime guarantees. How will merchants, partners, and internal personnel be alerted to NCR Secure Pay availability issues/outages? Via , as is done with NCR Counterpoint Gateway today.