Solutions For Higher Education: Reducing Compliance Scope Across Campus With PCI Validated P2PE

Similar documents
White Paper Solutions For Hospitality

White Paper PCI-Validated Point-to-Point Encryption

rguest Pay Gateway: A Solution Review

White Paper PCI-Validated Point-to-Point Encryption On Microsoft Azure. By Christopher Kronenthal, Chief Technology Officer

Secure Payments Framework Workgroup

Transitions in Payments: PCI Compliance, EMV & True Transactions Security

Point-to-Point Encryption (P2PE)

SELLING PAYMENT SYSTEMS SERVICES & SOLUTIONS

Flexible and secure. acceo tender retail. payment solution. tender-retail.acceo.com

Adyen PCI DSS 3.0 Compliance Guide

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

Making Sense of the PCI Puzzle

EMV in Hotels Observations and Considerations

We believe First Data is well positioned to take advantage of all of these trends given the breadth of our solutions and our global operating

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Revenue Security and Efficiency

Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance

EMV and Small Merchants:

EMV FAQs. Contact us at: Visit us online: VancoPayments.com

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard

The Impact of Emerging Payment Technologies on Retail and Hospitality Businesses. National Computer Corporation

welcome to liber8:payment

Increase Efficiency, Maximize Profits, and Secure Guest Confidence.

EMV and Restaurants What you need to know! November 19, 2014

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper Executive Director, Product Development

Mobile Payment Solutions: Best Practices and Guidelines

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

toast EMV in 2015: How Restaurants Can Prepare for the New Chip-and-Pin Standard

Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER

Security & Encryption in Healthcare Payments PCI DSS Technical Assessment White Paper

OKLAHOMA STATE UNIVERSITY STUDENT UNION HOW IT SERVES OTHERS THROUGH PCI COMPLIANCE

mobile payment acceptance Solutions Visa security best practices version 3.0

What is EMV? What is different?

NCR Secure Pay FAQ Updated June 12, 2014

Apple Pay. Frequently Asked Questions UK Launch

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

Best practices for choosing and integrating a mobile payments platform. A GlobalOnePay White Paper

How Multi-Pay Tokens Can Reduce Security Risks and the PCI Compliance Burden for ecommerce Merchants

The Relationship Between PCI, Encryption and Tokenization: What you need to know

To ensure independence, PSC does not represent, resell or receive commissions from any third party hardware, software or solutions vendors.

Grow with our omni-channel payment processing technologies and merchant services.

Payment Card Industry (PCI) Data Security Standard

Understanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective

PCI DSS v3.0 SAQ Eligibility

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

PCI PA-DSS Requirements. For hardware vendors

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon

Mobile Near-Field Communications (NFC) Payments

Data Security Basics for Small Merchants

ACQUIRER OR ACQUIRING BANK A financial institution (often a bank) where a merchant has an account to process transactions and card payments

Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance

Apple Pay. Frequently Asked Questions UK

WIRELESS - GPRS iwl250 POS SOLUTION

Point-to-Point Encryption

PREVENTING PAYMENT CARD DATA BREACHES

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

Attestation of Compliance for Onsite Assessments Service Providers

PCI Security Standards Council

Payment terminals for your point of sale

A RE T HE U.S. CHIP RULES ENOUGH?

Universal Transaction Gateway (UTG ), 4Go, and i4go are covered by

Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance

Frequently Asked Questions

EMV Frequently Asked Questions for Merchants May, 2014

PCI P2PE 2.0. What Does it Mean for Merchants and Processors? September 10, 2015

EMV : Frequently Asked Questions for Merchants

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

The Comprehensive, Yet Concise Guide to Credit Card Processing

PCI Compliance Overview

PCI Security Standards Council

global leader in seamless payment

Payment Card Industry (PCI) Data Security Standard

EMV FAQs for developers

What Merchants Need to Know About EMV

Table of Contents. Overview. What is payment processing? Who s Who. Types of Payment Solutions. Online Transactions. Interchange Process

EMV Delivery of Mobile, Parking and Unattended Payments. Elavon

Payment Card Industry (PCI) Data Security Standard

FOR A BARRIER-FREE PAYMENT PROCESSING SOLUTION

Payment Card Industry (PCI) Point-to-Point Encryption

PCI DSS. CollectorSolutions, Incorporated

Credit Card Processing Overview

Transcription:

Solutions For Higher Education: Reducing Compliance Scope Across Campus With PCI Validated P2PE

Complete Campus Coverage With the complexity of a college campus ecosystem as varied as the development office to the campus hotel, to the football stadium and the food trucks, university Treasury and IT departments are looking for solutions that are more secure, more centralized and easier to manage. The challenge of maintaining PCI DSS compliance is intensified because in many cases, disparate groups around the campus are managing multiple service providers and technologies. This can lead to siloed payments solutions and a maze of providers and compliance requirements. College campuses, like any large enterprise with highly diversified payments use cases, require a comprehensive set of solutions that can accommodate online, offline and emerging payment technologies. FreedomPay s Validated P2PE solution offers PCI scope-reducing benefits across entire college campus. The secure transaction framework applies to all payments methodologies, including credit, debit, EMV, NFC and online. PCI Scope Reduction With Validated P2PE The PCI Security Standards Council codified a gold standard for payment encryption practices, or Validated Point-to-Point Encryption (P2PE). The Validated P2PE standard dictates that the payment data is encrypted at the point-of-interaction and decrypted entirely outside of the merchant s environment.this ensures that no sensitive cardholder data passes through the merchant s POS in an unencrypted state. Because card data is completely segmented from the merchant s POS and network, Validated P2PE offers merchants a reduction in scope for their annual PCI DSS compliance, with substantially fewer controls to manage and document. However, the PCI scope-reducing benefits of a Validated P2PE solution are contingent on eliminating all unencrypted cardholder data from the merchant s environment, which, for the diverse requirements of college campuses, demands a robust set of payment capabilities and integrations for online and offline transactions 2014 FreedomPay, Inc. www.freedompay.com 1

Advanced Commerce Platform EMV Certification 2015 is an inflection point for payments, with the U.S. set to adopt the EMV (chip-and-pin, chipand-signature) standard that is prevalent around the world. The major card brands have aligned around the EMV standard and are mandating that merchants and card issuers upgrade to the new technology or they face liability for fraud and chargebacks. When the liability shift occurs, if there is an incidence of card fraud, whichever party in the value chain has the lesser technology will bear the liability. The EMV card offers additional security protections against card fraud, but does not actually encrypt the payment data in the merchant s environment. In fact, Stephen Orfei, the General Manager of the PCI Security Standards Council, stated that EMV chip technology does not protect against malware attacks like those we have been reading about in the news, nor does it prevent card-not-present attacks. It is the combination of EMV and security solutions like PCI P2PE that can truly secure payment data and mitigate the merchant s risk of fraud and compromise. NFC Mobile Wallets The emergence of Apple Pay has re-ignited the NFC mobile wallet space. Apple, Google, Samsung, Microsoft and PayPal, among others, are competing to provide the most convenience and most value-added services for their customers to leverage mobile wallet technology. For many merchants, who have been holding off on accepting NFC payments since their introduction several years ago, are now facing pressure from consumers to accept mobile payments. With smartphones ubiquitous on college campuses and mobile payments gaining rapid adoption, NFC acceptance is becoming an increasingly important factor in the payments landscape. Online Payments Online payments through a virtual terminal or e-commerce website can expose card data to the network, keeping it within the scope of PCI compliance. Credit card data is often processed as a card not-present transaction, even when the customer is able to present their card in person. Finding new ways to process payments online can increase security, reduce scope, lower interchange fees and add new functionality. 2 2014 FreedomPay, Inc. www.freedompay.com

Use Case 1: The Dining Hall Campus dining facilities and convenience stores typically accept both student ID cards and Reduce PCI Scope Across Campus credit cards for payment, exposing them to PCI compliance scrutiny. FreedomPay s integration toolkit enables rapid integration of POS systems into the Validated P2PE framework, thereby reducing PCI scope and solving for EMV. Leading systems such as MICROS, Agilysys, Revel Systems and Digital Dining are already certified to the P2PE platform, with additional POS providers joining the solution regularly. For many campuses, the food service operation is self-managed, and the IT department or Treasury is responsible for the merchant ID and compliance. For others, dining operations are managed through a third party service provider that owns the merchant IDs and potentially even the POS equipment. Many universities have implemented stand-alone payment terminals that are not on the network in an effort to eliminate card data from their systems. FreedomPay has experience working with the major U.S. contract food service providers and can work with campus administrators to implement a scope-reducing Validated P2PE solution even with the presence of a third party service provider. Use Case 2: The Food Trucks Small merchants around campus like the food trucks, event and festival vendors and pop-up retail partners need to be on the cutting edge of technology, traveling light and fast with tablets and mobile card swipe devices. The PCI challenge for these small but popular merchants is the amount of payment data they generate and where it goes. FreedomPay s P2PE framework and PCI Validated mobile devices enables these mobile merchants to accept secure payments and transport the data through the network in a P2PE Validated environment. All of the mobile devices certified in the FreedomPay framework accept EMV, NFC and magstripe payments, with Bluetooth, Wi-Fi or cellular connectivity. The mobile devices and integrated POS systems will even support offline payments. 2014 FreedomPay, Inc. www.freedompay.com 3

Advanced Commerce Platform Use Case 3: The Development Office Accepting payments through a call center or e-commerce website can expose card data into the university network. For a university development office or other business office that is collecting donations and selling tickets to events, many of the technologies used today can expose sensitive payment information to the university s network, keeping them in scope for compliance. For an e-commerce website transaction, FreedomPay s Hosted Payment Page integrates with e-commerce website platforms to remove all payment data from the merchant s online environment. This takes all PCI data out of scope and wraps it within PCI s highest standard for security. For in-person payments at events, or for payments over the phone, FreedomPay s Merchant Portal functions as a web-based POS running through a browser. The P2PE Validated payment terminal or secure keypad connects via USB to a computer to accept payments. For in-person events, the merchant can accept EMV and NFC payments, and pay card-present interchange rates compared to the standard online payments rates typically handled by virtual terminals. PAY Use Case 4: The Campus Hotel Hotels are complex payment environments with retail, restaurant, e-commerce and lodging all within the same merchant footprint. FreedomPay is uniquely positioned to solve for all hospitality use cases with a comprehensive, PCI Validated solution. FreedomPay is integrated with Property Management Systems (PMS) solutions from MICROS and Agilysys, as well as leading retail and restaurant POS systems from Revel, Digital Dining and other platforms. In 2015 FreedomPay will enable Pay at Table with EMV, enabling full service restaurants to deliver a payment device to the table with the bill for consumers to conduct the transaction. Many universities receive foreign travelers, and offering Dynamic Currency Conversion (DCC) at check-in enables the consumer to pay a favorable exchange rate. Online, the FreedomPay Payment Information Proxy tokenizes reservation data and removes it from scope when the consumer books a room on a third-party system like Expedia or Travelocity. www. 4 2014 FreedomPay, Inc. www.freedompay.com

Use Case 5: The Football Stadium Stadiums and arenas are major revenue generators for campuses, and the PCI data exposure in those facilities needs to be secured. FreedomPay has been working with service providers to many campus stadiums to implement P2PE, and the implications can be sizable from a compliance perspective. Payment terminals in the fast paced world of concessions have to be durable and dependable. And in the event of a failure, procedures need to exist to hot-swap the device on the fly without crippling the lines. FreedomPay provides a PCI Validated process on managing and implementing backup devices securely or requesting an RMA and a replacement. Consumers are rapidly expecting the ability to pay by mobile, and particularly at stadiums, speeding up checkout is critical. In suites and boxes, a mobile payment terminal helps attendants serve customers without them missing a play. Even before the fans get to the game, they may be buying tickets on the university s website, or at Ticketmaster. With Ticketing Tokenization technology, FreedomPay truly removes all PCI data from the campus infrastructure. Use Case 6: The Police Station The business of a police station, even municipal court functions, involves paying fines and fees. Despite the presence of the police, the payment data on the network is typically not as secure as it could be. The unlikely culprit of a PCI data exposure on the network may be the campus police. FreedomPay can provide stand-alone terminals that are not tied to a POS system, or secure payment terminals connected to the merchant portal to handle card-present payments. 2014 FreedomPay, Inc. www.freedompay.com 5

Advanced Commerce Platform The Difference PCI Validation Makes In 2012 and 2013, the PCI Security Standards Council released the PCI P2PE Standard: a set of controls that aimed to provide some clarity and definition around point-to-point encryption. The PCI P2PE standard contains detailed security requirements and testing procedures for application vendors and providers of P2PE solutions to ensure that their solutions can meet the necessary requirements for the protection of payment card data. As stated on the PCI Security Standards Council s listing of Validated P2PE Solutions, When correctly implemented, these P2PE solutions may simplify merchants PCI compliance programs by eliminating clear-text cardholder data from their environment and reducing the scope of PCI DSS requirements. There are three core principles underlying PCI-Validated solutions: Hardware to hardware encryption and decryption with a POI (point-of-interaction) device that has SRED (Secure Reading and Exchange of Data) listed as a function and is enabled. Certified to have a validated secure distribution channel. This means that the entire chain of custody of the POI devices follow strict controls regarding shipping, receiving, tamper-evident packaging and installation. P2PE Instruction Manual (PIM) that guides the merchant on POI device use, storage, return for repairs and regular PCI reporting. To earn validation, P2PE solution providers have the responsibility for ensuring that their P2PE solutions satisfy all requirements of the P2PE standard. As a requirement for the P2PE solution assessment, the P2PE solution provider must provide the P2PE assessor with all required documentation, software, access to facilities and access to third-party service providers used in connection with the P2PE solution. The PCI P2PE standard encompasses close to a thousand individual controls governing encryption and decryption methodologies, software applications, device management and operations related to distribution and cryptographic key injection facilities. FreedomPay s P2PE solution, which earned PCI validation in August 2014, offers merchants this unparalleled payments security and functionality. 6 2014 FreedomPay, Inc. www.freedompay.com

P2PE Payment Terminals Core to the PCI-Validated P2PE solution is the Secure Reading and Exchange of Data (SRED) module, designed to encrypt data at the Point-of-Interaction. The SRED module applies the security and cryptographic protection of PIN data to the reading of card data presented by magnetic stripe, EMV, contactless/nfc, and manual entry. In order for P2PE to be in the SRED module, the encryption key management and encryption of the cardholder data must be done in the device s security processor. This and other P2PE program aspects must be in firmware, as opposed to being in the application. The firmware is reviewed and certified as meeting the SRED requirements by a PCI approved laboratory. FreedomPay s P2PE solution utilizes SRED-enabled payment terminals from Ingenico Group that offer choice and flexibility to solve for a variety of use cases. All of the devices that FreedomPay provides support traditional magnetic stripe payments, and also alternative and emerging payment methodologies such as EMV and NFC. Devices Devices supported by the FreedomPay PCI Validated P2PE Solution Include: iwl Series ipp350 isc250 2014 FreedomPay, Inc. www.freedompay.com 7

Advanced Commerce Platform PCI Compliance It is incumbent on merchants to work with their QSA on vetting fact from fiction. Only PCI Validated P2PE solutions have been thoroughly audited and evaluated, and can deliver the merchant benefits of security assurance and true scope reduction. As security and integrity are critical to maintaining a University or College s reputation and the trust of faculty, students, and alumni, it is of prime importance to pro-actively protect all sensitive information that is entrusted to the University or College. Coalfire has worked with many large universities and colleges around the country. The firm understands the unique requirements of Student Information Systems, sports programs, parking systems, bookstores, and more. Coalfire s experience is that higher education institutions typically have complex governance, multiple payment mechanisms, and the need to constantly adapt to the needs of their diverse communities. This often results in significant effort during assessments ensuring that all payment channels are identified, even before assessing PCI DSS compliance of each channel. This situation also results in the risk that a department may create a new payment channel without being aware of the need for PCI compliance. These unintentionally non-compliant channels are a risk to the institution. Adopting a uniform, adaptable P2PE solution, like FreedomPay, enables institutions to continue to use installed Point-of-Sale (POS) systems and implement new POS systems with the security assurances of P2PE and without the need for applying all PCI DSS controls to any of the POS systems or networks. Uniform use of a PCI P2PE solution, like FreedomPay, provides our PCI Qualified Security Assessors (QSA) with a greater confidence that an institution has appropriate controls for credit card data and streamlines assessments. For more information about PCI Validated P2PE and FreedomPay s solutions for higher education, please contact a payment security expert at commerce@freedompay.com. 8 2014 FreedomPay, Inc. www.freedompay.com

FreedomPay Inc. Five Radnor Corporate Center 100 Matsonford Road, Suite 100 Radnor, Pennsylvania 19087 USA Toll Free: 1.888.495.0222 Tel: +1.610.902.9000 Fax: +1.610.902.9001 www.freedompay.com 2015 FreedomPay, Inc.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information