CC-P2PE Program Manual for Merchantsfinance.columbia.edu/files/gateway/forms/PCI P2PE Implementation … · • Secure shippers – Such as Federal Express, United Parcel Express

CardConnect P2PE Merchant Instruction Manual For CardPointe and CardSecure P2PE Merchants

Document Version 1.5

© Copyright 2016 CardConnect. All Rights Reserved. 2

Contributors

• Rush Taggart

• Justin Shipe

• Dorothy Bedford

• Andy Liaskos

• Jamil King

Revision History

Date Author Oct 2014 Rush Taggart Nov 2014 Andy Liaskos Dec 2014 Justin Shipe Jan 2016 Rush Taggart Aug 2016 Justin Shipe


Contents

Glossary ............................................................................................................................................... 4References ..................................................................................................................................................................... 4

Introduction ........................................................................................................................................ 5About This Guide ......................................................................................................................................................... 5About the P2PE Program ........................................................................................................................................... 5

Approved POI Devices .................................................................................................................... 6Non-PCI-Approved Devices ...................................................................................................................................... 7Maintaining PCI Scope Reduction ............................................................................................................................ 7Troubleshooting ........................................................................................................................................................... 7P2PE Program Termination (Opt-Out) .................................................................................................................... 7

Merchant Responsibilities for Terminal Management .............................................................. 9Instructions for Ingenico© Terminals ........................................................................................................................ 9

Receiving Ingenico© Terminals ............................................................................................................................................... 9Ingenico© Terminal Repair ....................................................................................................................................................... 9Ingenico© Terminal Returns and Replacements .................................................................................................................. 9Ingenico© Terminal Disposal ................................................................................................................................................... 9Ingenico© Terminal Shipments ............................................................................................................................................. 10Missing Ingenico© Terminals ................................................................................................................................................ 10Regular Inspection .................................................................................................................................................................. 10Tampered Terminals or Packages ....................................................................................................................................... 11

Instructions for ID TECH© Terminals ..................................................................................................................... 12Receiving ID TECH© Terminals ........................................................................................................................................... 12ID TECH© Terminal Repair ................................................................................................................................................... 12ID TECH© Terminal Returns and Replacements .............................................................................................................. 12ID TECH© Terminal Disposal ............................................................................................................................................... 12ID TECH© Terminal Shipments ............................................................................................................................................ 12Missing ID TECH© Terminals ............................................................................................................................................... 13Regular Inspection .................................................................................................................................................................. 13Tampered Terminals or Packages ....................................................................................................................................... 14

Inventory Control ............................................................................................................................ 15Secure Inventory Control ......................................................................................................................................... 15Annual Audit of All Terminal Inventory ................................................................................................................. 15

Appendix A: CardPointe Support ................................................................................................ 16CardPointe Support Contact Information ............................................................................................................ 16How to Order New Terminals ................................................................................................................................. 16CardPointe Support Contact Information ............................................................................................................ 16


Glossary

The following terms are used throughout this document, and typically referred to only by their acronym. Please read and understand this glossary before you continue reading this guide.

• Point-of-Interaction (POI)

• Personal Account Number (PAN)

• Sensitive Authentication Data (SAD)

• PIN Transaction Security (PTS)

• Operating System (OS)

• Secure Read and Exchange of Data (SRED)

• Point-to-Point Encryption (P2PE)

• CPTED - Crime Prevention Through Environmental Design is a multi-disciplinary approach to

deterring criminal behavior through environmental design. CPTED strategies rely upon the

ability to influence offender decisions that precede criminal acts.

• Terminal software – CardConnect offers several applications for its terminals. The PanPad™

application is for tokenizing cardholder data in an ERP environment. The Retail application is for

standalone retail transaction processing. Both are covered by this document.

• Secure shippers – Such as Federal Express, United Parcel Express or US Postal Service using

tracking number services.

References PCI P2PE v1.2 Glossary of Terms


Introduction

About This Guide

This document describes the responsibilities of the merchant for proper implementation of the CardConnect Point to Point Encryption (P2PE) products offered by CardConnect. It provides instructions on how to manage your terminal inventory and implement your terminal management program. The intent is to securely and accurately manage all terminal inventories from receipt to decommissioning.

About the P2PE Program

There is an enormous variety in Payment Card Terminal devices. CardConnect has incorporated devices from numerous manufacturers to provide a range of solutions to merchants, including counter top units, pin pads, wireless units, and hardened terminal for unattended transactions. All supported devices have been certified to the Pin Entry Device Version 3 specification from the PCI Security Standards Council. CardConnect operates its P2PE program as a component of its Payment Gateway. Using CardConnect as a provider of payment card processing services automatically provides the benefit of our P2PE program. CardConnect distributes its terminals through TASQ Technology, the leading reseller of payment card terminals in the US. TASQ provides numerous services in support of our P2PE program, including encryption key injection, software installation, device serialization, inventory management, and shipping/receiving services. All CardConnect terminals ship from and returns to TASQ. CardConnect manages its terminals with its Terminal Management System (TMS). TMS is a module of the CardConnect payment gateway. The TMS has knowledge of all terminals ordered, including serial number, encryption key, software version, and ship to location among other information. The TMS can instruct a terminal to update its software version. A requirement of the P2PE program is lifecycle tracking of all devices. CardConnect has integrated its TMS with the TASQ order management system to receive order and shipping information for each device. You the merchant have responsibility for the terminal while in your possession, and there are a number of required tasks required of you for the overall program to remain compliant with the P2PE requirements. CardConnect has created the Terminal Management System to radically simplify this task as described in the following sections. Merchants must identify a program manager on their staff to be the primary contact for CardConnect for matters related to this program. CardConnect intends its terminal devices are shipped configured for the specific merchant environment and application. Therefore no software installation or device configuration options are available to merchant staff.


Approved POI DevicesThe following POI devices have been approved by the CardConnect Information Security Team for use in Point-to-Point Encryption services and environments:

Make Model(s) Approval Class

Ingenico© iCT220 iCT250 PED

Ingenico© IPP320 iPP350 PED

Ingenico© iSC Touch 250 iSC Touch 480 PED

Ingenico© iCMP & iSMP PED

ID Tech© SREDKey SCR

ID Tech© SecuRED SCR

* Alternate model numbers indicate a color screen version of the otherwise identical device.

B&W

COLOR

B&W

COLOR

B&W

COLOR

Mobile reader, EMV reader via bluetooth connection


Non-PCI-Approved Devices The CardConnect P2PE applications and devices cannot be integrated with outside devices (swipers, dippers, readers, etc.). This is by design, for the security of the solution and the merchant environment. For questions on custom integrations, please speak with Merchant Technical Support by sending an email to [email protected].

Maintaining PCI Scope Reduction Any attempts made to enable device interfaces or data-capture mechanisms that are otherwise disabled by the terminal software will affect your PCI-P2PE scope. Altering the security configurations, authentication controls, application installs, or tampering the hardware will invalidate your P2PE compliance and ultimately compromise or weaken the integrity of your installation.

Troubleshooting

If your terminal fails to encrypt card data, remove it from service and contact Merchant Technical Support. The device must remain out of circulation until the issue is resolved or the device is returned. Should you experience any encryption or other errors with your terminal(s), contact Merchant Technical Support. The support team will begin a troubleshooting session over the phone and make a recommendation on how to proceed with resolving the issue. Any failure of the POI device should be reported immediately to your contact at CardConnect. No malfunctioning device can be used until a Merchant Technical Support validates the device is functioning correctly and specifically authorizes you to return the device to service. During troubleshooting, PAN or SAD data will not be output to the merchant environment at any time. Data cannot be collected in this way, so any device experiencing issues translating or communicating data must be sent back to the fulfillment center. The terminal software is designed to never send PAN or SAD data unencrypted. However, should any of the controls fail and the device sends unencrypted card data to CardSecure, CardConnect support will be alerted and the merchant will be notified to disable the offending terminal until it can be inspected. If the process for resolving the failure cannot be implemented, merchants have the option of formally discontinuing use of the P2PE solution. If this course of action is chosen, opt-out procedures must be followed.

P2PE Program Termination (Opt-Out) Any merchant may choose to terminate their relationship with CardConnect and thus “opt out” of the P2PE program. The Merchant P2PE program manager must communicate this intent to their CardConnect relationship manager. This notice must also be given to the merchant bank. A formal termination notice (notarized by an officer) must be delivered to CardConnect. CardConnect will arrange return shipping labels for all devices and locations listed in the Terminal Management System. The merchant is responsible for all devices that are not found and returned. In the event of POI encryption failure merchants have the opportunity to opt out of the P2PE solution. Opting out requires completion of the following procedures:


The primary merchant contact is required to communicate with the CardConnect point of contact (located in Appendix B of this document) to notify them of the intent to opt-out of the P2PE Solution. The merchant will be required to communicate with their merchant bank to inform them of their intent to opt-out of the P2PE solution. The merchant needs to relay the response of the merchant bank back to CardConnect. A formal opt-out notice needs to be notarized and delivered via secured courier to CardConnect. In the notice, the merchant needs to formally acknowledge that they are taking responsibility for their PCI DSS compliance in their environment. Merchants should also acknowledge they are taking responsibility for the following as If merchants opt out of a P2PE solution, the following may occur:

• Certain types of transactions may not be accepted.

• Merchants will be responsible for their own PCI DSS compliance.

• Merchants will be responsible for complying with all PCI DSS requirements instead of only

being required to submit a SAQ-P2PE-HW form.

• By opting-out of the P2PE solution, the merchant is no longer eligible for PCI DSS scope

reduction that was afforded by the P2PE solution.

• The merchant is obligated to advise their acquirer that they are no longer using the P2PE

solution.

• Processing transactions without P2PE protection may impact the merchant’s PCI DSS

compliance validation.

• Merchants need to confirm with their acquirer or payment brands what is required of them to

meet PCI DSS compliance.

A formal request should be submitted to the solution provider to allow them to accept transactions without P2PE encryption.


Merchant Responsibilities for Terminal Management

Instructions for Ingenico© Terminals

Receiving Ingenico© Terminals When the package containing the new Ingenico© device(s) arrives, inspect the packaging for any signs of tampering before signing for the package. Tape should be sealed and free of splits or tears. If there is any indication of tampering, refuse the package and the shipper will return it to TASQ. Once signed for, the terminal is the responsibility of the merchant. Please leave the terminal in the shipping box until time for installation. If there is any evidence of tampering in storage please contact the Merchant Technical Support team for a return shipping label. Packages must be securely

Ingenico© Terminal Repair CardConnect will never repair a terminal at a merchant location. If any person requests access to a terminal for repair purposes, please notify CardConnect immediately so the terminal can be disabled and returned to TASQ for inspection and revalidation. There are numerous frauds conducted upon terminals! Should any trouble arise with a terminal, please contact the CardConnect Merchant Technical Support group for assistance. CardConnect’s terminal management and fulfillment process cannot facilitate any on-site terminal repairs. Troubleshooting takes place only between the merchant and CardConnect. CardConnect will contact TASQ or Ingenico for troubleshooting when necessary. No one outside of CardConnect, TASQ, or Ingenico is authorized to troubleshoot or repair terminals.

Ingenico© Terminal Returns and Replacements Please contact the CardConnect Merchant Technical Support group for a return-shipping package. Please store the terminal in a secure location until shipped. Any time a device is sent to another facility or returned to the fulfillment center, the device must be secured and protected from tampering. All shipping of devices must use a secured courier. When devices are packaged, they must be packaged with tamper evident tape. All shipments must have tracking information, the details of which are to be logged as part of your terminal asset inventory tracking process.

Ingenico© Terminal Disposal All terminals that are permanently removed from service have their keys securely erased upon receipt by the originating key injection facility (KIF). Depending on the physical condition of the terminal it may be cleaned and returned to stock, or destroyed. The KIF is contracted to securely destroy terminal devices no longer fit for service. As a merchant, your procedure for decommissioning a terminal follows the same technical procedure as a returning a unit to the KIF.


Ingenico© Terminal Shipments Your organization must maintain a list of sites where your terminals can be deployed. The specifics of these locations are noted in Appendix B of this document. Terminals must be secured before and during transportation. When developing your transportation procedure, be sure to cover the following areas: Package the device in such a way that is tamper-evident. Use tamper tape on boxes. Track the device number and shipping details together. Verify the packages have not been tampered before shipment. Inspect the tape to ensure no seals are broken or cracked. If the package shows signs of tampering, do not ship it. Review your access log for information on the last person to access the area and contact Customer Support for further instructions. Terminal shipments must use only secure shippers.

Missing Ingenico© Terminals Please notify the Merchant Technical Support group as soon as possible after a terminal is identified as missing so the terminal can be disabled.

Regular Inspection Merchant Staff must verify on a regular basis that the on-hand terminal inventory is reconciled against the devices in use. Frauds have been committed by replacing terminals with tampered units. Terminal inspections must verify the following:

• Security seals, labels, hidden markings remain as originally received.

• Number and type of physical connections to device (There should only be one).

• Date of last inspection

• Condition of screws, mounting hardware, and cables

• Serial numbers on the bill of lading should match the list provided by CardConnect

• Serial numbers on the physical devices should match what was provided by CardConnect

• Physical inspections of the POI device should be conducted to assure that no mismatching

screws; replaced screws; missing or broken security seals exist. Pictures of POI devices and

indications of security seals are found in the relevant Terminal Inspection Guide for the device.


• Physical inspections of terminal must be conducted periodically throughout the life of the

device. CardConnect recommends inspecting devices every three to six months for mounted

devices and daily for wireless devices.

• Inspections should include looking for extraneous wiring, unusual holes in the device or

additional labels or coverings that could be used to mask damage from device tampering.

• On Power on, the device serial number reported in firmware should match the serial number on

the device itself.

• Self-Tests of the device should be run on power-on mode to assure proper functionality.

• Functional testing of the device should be performed to assure it is processing and

communicates correctly with CardConnect P2PE solution environment.

• All POI devices should be weighted on receipt and every three to six months to assure no

tapping mechanisms or “shims” have been inserted into the device.

You must maintain a log of these security checks for each device, and provide it to your PCI auditor for inspection. A handwritten notebook is sufficient. It should be kept in a secure location. You may also email [email protected] with the device serial number and inspection result and optionally a photograph. CardConnect will maintain this record. If you detect any indication of device tampering, please contact the Product Support group as soon as possible for assistance. If you suspect any transactions were processed on a tampered device please contact Merchant Technical Support.

Tampered Terminals or Packages In the event devices show physical signs of tampering, stop using the device immediately. Contact Merchant Technical Support (see Appendix B of this document for contact information) with the following:

• The date and time of when you initially noticed the tampering

• The suspected the cause of the tampering (i.e. missing screws, holes or additional seals in the

device, the device weights too much, etc.)

• Last status of the device in your asset inventory


Your CardConnect contact will assist you in gathering information, troubleshooting and responding to the incident. Any other suspicious activity of POI devices should be reported to Merchant Technical Support for investigation and resolution.


Instructions for ID TECH© Terminals

Receiving ID TECH© Terminals

When the package containing the new ID TECH© device(s) arrive, inspect the packaging for any signs of tampering before signing for the package. Any tape should be sealed and free of splits or tears. When ordering terminals, CardConnect will provide a confirmation number for your device shipment. If there is any indication of tampering, refuse the package and the shipper will return it to CardConnect. Once signed for, the terminal is the responsibility of the merchant.

ID TECH© Terminal Repair

CardConnect will never repair a terminal at a merchant location. If any person requests access to a terminal for repair purposes, please notify CardConnect immediately so the terminal can be disabled and returned to CardConnect for inspection and revalidation. There are numerous frauds conducted upon terminals! Should any trouble arise with a terminal, please contact CardPointe Support for assistance. CardConnect’s terminal management and fulfillment process cannot facilitate any on-site terminal repairs. Troubleshooting takes place only between the merchant and CardConnect. No one outside of CardConnect is authorized to troubleshoot or repair ID TECH terminals. If your ID TECH terminal needs repair or replacement, contact CardPointe Support. CardConnect will issue a new terminal and a return label for the failed terminal.

ID TECH© Terminal Returns and Replacements

Please contact CardPointe Support for a return-shipping package. Please store the terminal in a secure location until the replacement device has arrived and you are ready to return the original device to CardConnect. All shipping of devices must use a secured courier. When devices are packaged, they must be packaged with tamper evident tape. All shipments must have tracking information, the details of which are to be logged as part of your terminal asset inventory tracking process.

ID TECH© Terminal Disposal

All terminal disposal must be handled by CardConnect. A merchant must not dispose of a device themselves, but rather go through the return and replacement procedure. All terminals that are permanently removed from service have their keys securely erased upon receipt by the originating key injection facility (KIF). Depending on the physical condition of the terminal it may be cleaned and returned to stock, or destroyed. The KIF is contracted to securely destroy terminal devices no longer fit for service. As a merchant, your procedure for decommissioning a terminal follows the same technical procedure as a returning a unit to the KIF.

ID TECH© Terminal Shipments

Your organization must maintain a list of sites where your terminals can be deployed. The specifics of these locations are noted in Appendix B of this document.


Terminals must be secured before and during transportation. When developing your transportation procedure, be sure to cover the following areas: Package the device in such a way that is tamper-evident. Use tamper tape on boxes. Track the device number and shipping details together. Verify the packages have not been tampered before shipment. Inspect the tape to ensure no seals are broken or cracked. If the package shows signs of tampering, do not ship it. Review your access log for information on the last person to access the area and contact Customer Support for further instructions. Terminal shipments must use only secure courier services that provide tracking services.

Missing ID TECH© Terminals

Please notify the CardPointe Support as soon as possible if a terminal is identified as missing. The Support team can help identify problems in shipping or investigate further potential causes for a missing device and investigate any possible fraud.

Regular Inspection

Merchant Staff must verify on a regular basis that the on-hand terminal inventory is reconciled against the devices in use. Frauds have been committed by replacing terminals with tampered units. Terminal inspections must verify the following:

• Security seals, labels, hidden markings remain as originally received. See the image below for an

example of the tamper seal on an ID TECH SREDKey device:

• Number and type of physical connections to device (There should only be one).



• Condition of screws, mounting hardware, and cables

• Serial numbers on the bill of lading should match the list provided by CardConnect

• Serial numbers on the physical devices should match what was provided by CardConnect

• Physical inspections of the POI device should be conducted to assure that no mismatching

screws; replaced screws; missing or broken security seals exist. Check for skimmers or other

added hardware like fascias or layover keys.

• Physical inspections of terminal must be conducted periodically throughout the life of the

device. CardConnect recommends inspecting devices every three to six months for mounted

devices and daily for wireless devices.

• Inspections should include looking for extraneous wiring, unusual holes in the device or

additional labels or coverings that could be used to mask damage from device tampering.

• Functional testing of the device should be performed to assure it is processing and

communicates correctly with CardPointe.

You must maintain a log of these security checks for each device, and provide it to your PCI auditor for inspection. A handwritten notebook is sufficient. It should be kept in a secure location. You may also email [email protected] with the device serial number and inspection result and optionally a photograph. CardConnect will maintain this record.

Tampered Terminals or Packages

In the event devices show physical signs of tampering, stop using the device immediately. Contact CardPointe Support (see Appendix B of this document for contact information) with the following:

• The date and time of when you initially noticed the tampering

• The suspected the cause of the tampering (i.e. missing screws, holes or additional seals in the

device, the device weights too much, etc.)

• Last status of the device in your asset inventory


Your CardConnect contact will assist you in gathering information, troubleshooting and responding to the incident. Any other suspicious activity of your devices should be reported to CardPointe Support for investigation and resolution. If you detect any indication of device tampering, or you suspect any transactions were processed on a tampered device please contact CardPointe Support as soon as possible for assistance.


Inventory Control Secure Inventory Control Merchants are response for maintaining inventory and monitoring inventory of all terminals in your charge. This includes terminals that are in use, devices that are waiting to be used and devices that are in the process of being repaired. A missing or unaccounted for device could indicate that a terminal has been intercepted by an unauthorized party. The CardConnect Terminal Management System provides reports of all devices shipped to a location. This must match the devices in use at that location. The intent of the device inventory is to track any terminal through its lifecycle and maintain a strict chain of custody. Should you move a device from one location to another, please notify the Merchant Technical Support Group with the serial number and new location.

Annual Audit of All Terminal Inventory Merchants are response for maintaining inventory and monitoring inventory of all devices processing cardholder data. This includes terminals that are in use, devices that are waiting to be used and devices that are in the process of being repaired. For this reason CardConnect recommends any terminal not in active use or in the installation process be returned to TASQ. The CardConnect TMS will record returned terminals and remove them from merchant responsibility. CardConnect grants program managers’ access to the Terminal Management System to review device inventory information. At least once a year, a full inventory of all terminals (POI devices) must be conducted to ensure that all devices are accounted for and match the serial numbers documented in your inventory. All merchants should be familiar with their terminal models, including security markings, screws, and tamper seals so that inspections are effective at detecting tampered or otherwise compromised devices. If a discrepancy is found during the annual inventory, the following steps must be taken:

1. Isolate the missing device/ or devices

2. Determine the last known location of the device and if possible the last known use

3. Determine the serial number/type of device

4. Verify what state the device was in (deployed, spare/backup, undergoing repair)

5. Contact your CardConnect account manager with all the information collected about the missing device.

Contact information and points of contact are found in Appendix B of this document.

6. Work with CardConnect to verify if cardholder data has been compromised.

7. If you determine that cardholder data has been compromised, follow the steps outlined by Visa at:

http://www.visaeurope.com/en/businesses__retailers/payment_security/downloads__resources.aspx

© Copyright 2016 CardConnect. All Rights Reserved.

Appendix A: CardPointe Support

CardPointe Support Contact Information The CardPointe Support group at CardConnect provides all merchant terminal and technical support. Their phone number is 877-828-0720, option 1, then option 3, and email address is [email protected].

How to Order New Terminals You can visit shop.cardconnect.com to purchase additional terminals. The CardPointe Support group will assist you in configuring new terminals, requests to update information about a terminal, and requests to return a terminal. CardConnect sales staff can also accept new terminal orders, and will forward them to the CardPointe Support group.

CardPointe Support Contact Information Supervisor Contact Name: Andy Liaskos Address: 1000 Continental Drive

Suite 300 King of Prussia, PA 19406

URL: https://www.cardconnect.com/ Email: [email protected] Contact Numbers: 484-581-2200 Point of contact for missing/substituted inventory: Andy Liaskos

Documents

CC-P2PE Program Manual for Merchantsfinance.columbia.edu/files/gateway/forms/PCI P2PE Implementation … · • Secure shippers – Such as Federal Express, United Parcel Express