White Paper Solutions For Hospitality

Transcription

1 White Paper Solutions For Hospitality

2 Foreword Addressing the complexity of a hospitality ecosystem as varied as the front desk to the parking garage, to the restaurant, the website, and the call center, requires IT and finance managers to implement technologies that are more secure, fully integrated across the enterprise and easier to manage. With payment solutions for lodging, retail, restaurant and e-commerce, as well as broad integrations across point of sale providers and payment processors, FreedomPay is uniquely positioned to help hospitality merchants solve for complex payment environments and consolidate technologies within the same footprint is an inflection point for payments, with the U.S. set to adopt the EMV (chip-and-pin, chipand-signature) standard that is prevalent around the world. However, EMV chip technology does not protect against malware attacks at the point of sale, nor does it prevent card-notpresent attacks. It is the combination of EMV and security solutions like Validated PCI P2PE and tokenization that can truly secure payment data and mitigate the risk of fraud and compromise. The Validated P2PE standard created by the PCI Security Council dictates that the payment data is encrypted at the point-of-interaction and decrypted entirely outside of the merchant s environment. This ensures that no sensitive cardholder data passes through the merchant s POS in an unencrypted state. The challenge of maintaining security and PCI DSS compliance is intensified because in many cases, disparate groups around the organization are managing multiple service providers and technologies. This can lead to payment solutions that are implemented in silos, and a maze of providers and compliance requirements. FreedomPay is helping hospitality merchants consolidate transaction connectivity among a variety of physical and digital systems, offering a single source for payments and security across the enterprise FreedomPay, Inc. 1

3 Advanced Commerce Platform Secure Switching with PCI Scope Reduction FreedomPay s PCI Validated P2PE solution provides gateway connections to multiple payment processors, as well as EMV and NFC support, and card data tokenization. When combined with online commerce solutions and a virtual terminal that connects to secure payment hardware, the FreedomPay Commerce PlatformTM can solve for the challenges of accepting payments through many points of customer interaction. As a Validated P2PE solution, FreedomPay fully encrypts sensitive cardholder data before it enters the merchant s point of sale or network infrastructure, and is approved to remove those systems from the scope of PCI DSS compliance. In order to gain the benefits of scope reduction across the enterprise, hospitality organizations must prevent clear text cardholder data from entering through any access point, including the property management system, the restaurant point of sale, the gift shop, or the websites used for reservations and ticketing. Solutions that can deliver the PCI P2PE security standard around all payment scenarios can help the merchant reduce the time, cost and complexity of maintaining PCI compliance. POS Integration FreedomPay offers merchants choice and flexibility when it comes to the point of sale and property management technologies they use throughout the enterprise. FreedomPay has integrated P2PE solutions with leading POS and PMS platforms including MICROS, Agilysys, Revel Systems and Digital Dining, among others, with the ability to add new integrations quickly and easily through an API library. As a fully integrated solution, FreedomPay can leverage functionality of the POS, offering merchants SKU-level purchase data interchange rates and customer interactivity powered by their existing infrastructure. Table service restaurants are facing a new challenge for pay at table with the adoption of EMV in the United States. Customers will need to be presented with an EMV-ready payment device in addition to their check, which is driving the deployment of new technologies that are not necessarily integrated with the point of sale, or even the organization s payment gateway infrastructure. FreedomPay is able to offer restaurants an integrated solution that captures the transaction through a mobile device connected to the broader POS system FreedomPay, Inc.

4 Web-Based Commerce Reduce PCI Scope Across Campus Online merchant portals, or virtual terminals, are commonly utilized for customer service call centers and other retail scenarios where a PC acts as a point of sale system. FreedomPay provides a toolkit that allows merchants and technology providers to integrate with the secure Commerce Platform, enabling the use of a USB-powered PIN Pad device, and/or EMV and NFCready device that can process card-present and card-not-present transactions securely through a web portal. Payment data can also enter the merchant s network environment through e-commerce websites and online reservation systems, keeping online infrastructure in scope for PCI compliance and risking exposure to fraud and theft. Solutions to remove card data from the environment include a Hosted Payment Page, which re-directs the customer during checkout to a secure transaction facility, and a Payment Information Proxy, which tokenizes card data that arrives through online booking systems, successfully averting sensitive PCI data from the merchant s infrastructure. Value Added Services Real-time data and connectivity with third party platforms can drive new revenue sources and deepen customer engagement. Loyalty programs and offers powered through the FreedomPay Commerce Platform TM can drive incremental business and up-sells, and can create a deeper level of customer interaction and customer insight. With real time commerce data APIs, FreedomPay is able to provide SKU-level transaction data that can help organizations deliver the right incentives to customers based on their profile and purchase history. For organizations catering to international travellers, Dynamic Currency Conversion (DCC) can create significant cost savings for the merchant and the customer by enabling non-us card holders to pay in their native currency. This provides more favorable exchange rates and cost reductions to the merchant. Fraud Protection for credit card transactions based on behavior patterns and spending activity can save merchants from exposure to risk of fraudulent spending on their property. FreedomPay is integrated with platforms that investigate customer purchases in real time to combat the risk of losses due to fraud FreedomPay, Inc. 3

5 Advanced Commerce Platform The Difference PCI Validation Makes In 2012 and 2013, the PCI Security Standards Council released the PCI P2PE Standard: a set of controls that aimed to provide some clarity and definition around point-to-point encryption. The PCI P2PE standard contains detailed security requirements and testing procedures for application vendors and providers of P2PE solutions to ensure that their solutions can meet the necessary requirements for the protection of payment card data. As stated on the PCI Security Standards Council s listing of Validated P2PE Solutions, When correctly implemented, these P2PE solutions may simplify merchants PCI compliance programs by eliminating clear-text cardholder data from their environment and reducing the scope of PCI DSS requirements. There are three core principles underlying PCI-Validated solutions: Hardware to hardware encryption and decryption with a POI (point-of-interaction) device that has SRED (Secure Reading and Exchange of Data) listed as a function and is enabled. Certified to have a validated secure distribution channel. This means that the entire chain of custody of the POI devices follow strict controls regarding shipping, receiving, tamperevident packaging and installation. P2PE Instruction Manual (PIM) that guides the merchant on POI device use, storage, return for repairs and regular PCI reporting. To earn validation, P2PE solution providers have the responsibility for ensuring that their P2PE solutions satisfy all requirements of the P2PE standard. As a requirement for the P2PE solution assessment, the P2PE solution provider must provide the P2PE assessor with all required documentation, software, access to facilities and access to third-party service providers used in connection with the P2PE solution. The PCI P2PE standard encompasses close to a thousand individual controls governing encryption and decryption methodologies, software applications, device management and operations related to distribution and cryptographic key injection facilities. FreedomPay s P2PE solution, which earned PCI validation in August 2014, offers merchants this unparalleled payments security and functionality FreedomPay, Inc.

6 P2PE Payment Terminals Core to the PCI-Validated P2PE solution is the Secure Reading and Exchange of Data (SRED) module, designed to encrypt data at the Point-of-Interaction. The SRED module applies the security and cryptographic protection of PIN data to the reading of card data presented by magnetic stripe, EMV, contactless/nfc, and manual entry. In order for P2PE to be in the SRED module, the encryption key management and encryption of the cardholder data must be done in the device s security processor. This and other P2PE program aspects must be in firmware, as opposed to being in the application. The firmware is reviewed and certified as meeting the SRED requirements by a PCI approved laboratory. FreedomPay s P2PE solution utilizes SRED-enabled payment terminals from Ingenico Group that offer choice and flexibility to solve for a variety of use cases. All of the devices that FreedomPay provides support traditional magnetic stripe payments, and also alternative and emerging payment methodologies such as EMV and NFC. Validated P2PE Devices Devices supported by the FreedomPay PCI Validated P2PE Solution Include: Ingenico ipp320 Ingenico ipp350 Ingenico isc250 Ingenico isc480 Ingenico icmp Companion Ingenico ismp Ingenico iwl252 Ingenico iwl255 Ingenico iuc180b Ingenico iup250 ID Tech SREDKey ID Tech SecuRED ipp350 iwl Series icmp isc FreedomPay, Inc. 5

7 Advanced Commerce Platform PCI Compliance It is incumbent on merchants to work with their QSA on vetting fact from fiction. There are any number of providers making claims that simply cannot hold up to the unambiguous facts as stated by the PCI Council. Only PCI Validated P2PE solutions have been thoroughly audited and evaluated, and can deliver the merchant benefits of security assurance and true scope reduction. Any P2PE solution that does not adhere to the stated PCI requirements and has not been listed by the PCI Security Council as validated P2PE will not take the merchant s POS and supporting network infrastructure out of scope of compliance. Coalfire, a leader in the PCI compliance industry with signficant experience in hospitality, often finds that organizations have complex governance, multiple payment mechanisms, and the need to constantly adapt to the needs of their diverse communities. This results in significant effort during assessments ensuring that all payment channels are identified, even before assessing PCI DSS compliance of each channel. This situation also results in the risk that a department may create a new payment channel without being aware of the need for PCI compliance. These unintentionally non-compliant channels are a risk to the organization. Adopting a uniform, adaptable P2PE solution, like FreedomPay, enables institutions to continue to use installed Point-of-Sale (POS) systems and implement new POS systems with the security assurances of P2PE and without the need for applying all PCI DSS controls to any of the POS systems or networks. Uniform use of a PCI P2PE solution, like FreedomPay, provides our PCI Qualified Security Assessors (QSA) with a greater confidence that an institution has appropriate controls for credit card data and streamlines assessments. For more information about PCI Validated P2PE and FreedomPay s expertise in solving for complex payment environments in hospitality, please contact a payment security expert at commerce@freedompay.com FreedomPay, Inc.

8 FreedomPay Inc. Five Radnor Corporate Center 100 Matsonford Road, Suite 100 Radnor, Pennsylvania USA Toll Free: Tel: Fax: FreedomPay, Inc.