www.cardconnect.com
Discussion with the Mid-Atlantic Oracle Applications Users Group
www.cardconnect.com
www.cardconnect.com
Securing Payment Card Data
PCI P2PE & EMV
Payment Security Standards
• PCI-DSS 3.0
• New procedures for malware, passwords, access and POS device security
• Required by December 31, 2014
• EMV / Chip-and-PIN
• Protects card-present transactions
• “Merchant Liability Shift”: October 1, 2015
EMV graphic here
(from “Transitions in Payments” presentation, slide 7, ‘Magnetic
Stripe vs. Chip’ image)
PCI 3.0 graphic here
(from “Transitions in Payments” presentation, slide 4, PCI
Compliant image)
www.cardconnect.com
www.cardconnect.com
CardSecure Scope of Work
On Going Encryption and Tokenization
With CardSecure all sensitive data is encrypted and stored in CardConnect's PCI compliant hosting center. Intelligent tokens are returned to Oracle E-Business Suite. These tokens will pass the data integrity checks performed by Oracle and are in recognizable formats. (9418-1623-9275-1111)
www.cardconnect.com
CardConnect iFrame
Use Case – “Introducing New Card”
For the first transaction of a given card, business users will enter the credit card information into the CardSecure Web Application and click “Register”. This requires no software be
www.cardconnect.com
Features
• IDTech SREDKey
• Used for Card-Not-Present Environments
• PCI 3.0 Point-to-Point Encryption certified device • Key specific to customer and CardConnect
• PCI-certified software and key injection provider
• Delivery tracking of all equipment by PCI-certified provider
• Software on workstation used when a new credit card number is provided, routes transmission of encrypted message to hosted server to retrieve token
Further Reduce PCI Scope
•Point of Interaction devices encrypt card numbers at entry – removing the business system from PCI scope
Introducing the PANPAD
•CardConnect’s own Point of Interaction Device
•By partnering with Ingenico and IDTech, the PANPAD removes a business system from PCI scope •This substantially reduces the labor and expense required to operate a PCI compliant business
The CardSecure Desktop Tokenizer, an add-on software product to the CardSecure Token, tokenizes clear payment card numbers before entry to an ERP
www.cardconnect.com
PCI Document:
Point-to-Point Encryption (P2PE) Frequently Asked Questions for PCI Point-to-Point Encryption (P2PE) August 2012
Q6—Can merchants use P2PE solutions not listed on the Council’s website for PCI DSS scope reduction?
A. Only Council-listed solutions are recognized as meeting the requirements necessary for merchants to reduce the scope of their cardholder data
environment (CDE) through use of a P2PE solution.
www.cardconnect.com
Tokenization for Personal Data
Protecting Personally Identifiable Information (PII)
CardConnect’s Patented Tokenization
CardSecure® is an easy-to-integrate security solution that tokenizes all types of sensitive information at the point of entry. All tokens are randomly generated, making them impossible to decrypt.
Omni-Channel Security
Integrate CardSecure into devices and applications that capture and transmit sensitive data. All sensitive data is tokenized at the point of entry and kept secure in CardConnect’s vault.
Interchange Optimization
www.cardconnect.com
Interchange
• Interchange represents the fees paid to or collected from the card-issuing banks that provide Visa, MasterCard and Discover cards.
• Visa, MasterCard and Discover each have their own interchange programs.
Interchange Optimization
Defining Interchange Optimization:
• With so many interchange levels, there are ways to ensure a merchant qualifies for the lowest rate possible.
• Certain transactions can fall into 5 different categories: • With 5 different fees
• Fees are based on information sent to Card Processing Networks • If data points are missing – interchange can increase more than 1.00%
www.cardconnect.com
The Levels of Processing
Level I
• Business to consumer processing – this requires the least amount of data
Level II
• B2B processing which includes additional information such as merchant state code, tax ID and customer code
Level III
• Requires the most information including item description, tax rate, invoice number and more. Because it requires the most data,
Transaction Level Requirements
Data Type Level I Level II Level III
Merchant Name Y Y Y
Transaction Amount (Total) Y Y Y
Date Y Y Y
Tax Amount Y Y
Customer Code Y Y
Merchant Postal Code Y Y
Tax Identification Y Y
Merchant Minority Code Y Y
Merchant State Code Y Y
Ship from Postal Code Y
Destination Postal Code Y
Invoice Number Y
Order Number Y
Item Product Code Y
Item Commodity Code Y
Item Description Y
Item Quantity Y
Item Unit of Measure Y
www.cardconnect.com
Another Way to Optimize
3-D Secure
• Built into the CardConnect Gateway
• Merchants using 3-D Secure are protected from fraud-related
chargebacks
• Saves 5-55 bps per transaction
www.cardconnect.com
3-D Secure
3-D Secure
• Prot ect ing card not present (CNP) t ransact ions
• Developed by Visa, adopt ed by Mast ercard, Amex, JCB • How 3-D Secure works • How t o implement 3-D
Secure
Your bank’s logo The name of the retailer that you are shopping with The value of the purchase Today’s date The last four digits of your card number The personal
message that you set when registering
The Ideal Solution
• Security
Your customer’s sensitive card data should never reside in your system. All encryption and storage should take place outside your ERP.
What To Look For
• Seamless Integration
You want an integration that is accomplished with no modifications to your Oracle e-Business Suite. This removes maintenance concerns during patching and upgrading.
• Interchange Management
A vendor should proactively manage your account to ensure your transactions are qualifying for the lowest possible
interchange rates.
• Automated Reporting and Reconciliation
• Apply to existing sales channels
• SAP GUI, iStore, integrations
• POS, Mobile, e-commerce, and more
• SAP-to-Gateway integration
www.cardconnect.com
Protecting Your Sales Channels
2. Point-to-Point Encryption (P2PE)
Circle icons of 6 payment methods, from slide #13, that P2PE does/does not protect (orange for yes; gray for no): orange for retail,
MOTO/B2B, ½ of mobile
