Attention Software Developers! How to Eliminate Scope of PCI Compliance

Payment processing integration with business management software is nothing new in the payments industry. For several decades, software companies have been developing user interfaces that connect with some sort of middleware technology to allow the flow of credit card data from the business software to the acquiring bank. In the past, software programs like IC Verify and PC Charge were downloaded onto the computer’s local hard drive and configured with the business management software. As internet connection improved and cloud technology became the standard, gateway companies jockeyed for partnerships with software companies.

In both of these models, card data was often transferred through a mag stripe reader via keyboard emulation. The credit card data would then flow through the software to the gateway or middleware and eventually on to the processor. Additionally, recurring payment technology often stored the card data on the local hard drive.

In response to the onslaught of credit card data breaches and increased fraudulent activity, payment processing companies have developed various methods of protecting consumer card data. Some of the most commonly used methods include point to point encryption (p2pe), tokenization, hosted payment pages, and semi-integrated solutions.

Point to Point encryption utilizes specific hardware to encrypt the credit card data at the time the card is swiped through a mag stripe reader. In the point of sale environment, this mag stripe reader is usually connected to the POS hardware, and the encrypted data is in direct contact with the software program. The data is de-encrypted with an acquirer specific key code once it arrives at the processor’s server. This method of card security is seen to be very safe but it still leaves the independent software vendor (ISV) in scope of PCI compliance regulations.

Tokenization is a method of card protection utilized for card storage. Credit card data is transmitted to the processor’s gateway where it is converted into a code or token. The token is transmitted back to the POS software application where it can be stored for future access. If the merchant wants to access customer credit card information, the POS software sends the token to the gateway along with a specified function (ie. set up recurring transaction, run a sale, refund, etc…). Tokenization is now widely used to remove liability of card storage from the merchant and ISV, but it only solves the second half of the transaction life cycle. The initial transmission of the card data to the gateway needs to be secured. Point to point encryption can be combined with tokenization to accomplish this level of security.

Unfortunately, p2pe has a few drawbacks. Encryption of data requires a specific type of hardware capable of encryption along with injection keys from each acquiring bank. In order to allow for a payment processor agnostic POS solution, the POS company will need to certify its p2pe solution with each payment processor. The unique specifications to each processor change fairly often, and the largest change since the onset of electronic payments is quickly approaching: EMV.

The EMV deadline presents an enormous amount of work to complete new encryption certifications for each processor. Additionally, POS companies are tasked with finding new hardware solutions to work with their computer systems. In response to the lack of resources for complete systems overhauls, a new method of payment integration has emerged: semi-integration

The semi-integrated model implements an old fashioned credit card machine to run transactions.

Merchants will ring up a sale on the point of sale screen just as usual. The POS will send a signal to a credit card terminal for the amount of the sale. The customer will swipe his credit card through the terminal, and the card data will be encrypted the moment it is run through the terminal (point to point). The encrypted data will flow over the internet to the processor. The processor will send back a transaction ID (token) to the terminal. The terminal will then transmit the token to your POS to reconcile the transaction. Ultimately, this process allows your POS to reconcile transactions without ever touching the card data directly.

Implementing these three solutions can protect your software organization and clients from a very serious data breach. Additionally, your company can realize many significant expense reductions as a result of reducing PCI scope. Be sure to inquire about these advancements with your gateway partner!

By |2018-05-31T14:03:47+00:00October 21st, 2015|Credit Card Processing, POS, Technology, Uncategorized|Comments Off on Attention Software Developers! How to Eliminate Scope of PCI Compliance