End to End PCI Compliant

Date Here

END TO END PCI COMPLIANT

PCI sets out a large number of standards designed to assist merchants, acquirers and their agents with

the task of protecting cardholder and other sensitive data. There are different elements to PCI which

deal with the different and complex nature of payments e.g. PCI standards around Ecommerce are

different to the standards required for Chip / PIN transactions. It should also be noted EMV is a separate

organisation and standard to PCI.

PCI DSS originally began as five different programs: Visa Card Information Security Program,

MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover

Information and Compliance, and the JCB Data Security Program. Each company’s intentions were

roughly similar: to create an additional level of protection for card issuers by ensuring that merchants

meet minimum levels of security when they store, process and transmit cardholder data. The Payment

Card Industry Security Standards Council (PCI SSC) was formed, and on 15 December 2004, these

companies aligned their individual policies and released the Payment Card Industry Data Security

Standard (PCI DSS).


INTRODUCTION


The PCI DSS applies to any entity that stores, processes, and/or transmits cardholder data. It covers

technical and operational system components included in or connected to cardholder data. If your

business accepts or processes payment cards, it must comply with the PCI DSS.


PCI DSS (12 X DATA SECURITY STANDARDS)

The PA-DSS is for software developers and integrators of applications that store, process or transmit

cardholder data as part of authorization or settlement. It governs these applications that are sold,

distributed or licensed to third parties.


PCI PA-DSS (14 X PAYMENT APPLICATION – DATA SECURITY STANDARDS)

This standard, referred to as PTS, applies to companies which make devices that accept personal

identification number (PIN) entry for all PIN-based transactions. Merchants and service providers should

use PTS approved devices and should check with their acquiring financial institution to understand

requirements and associated timeframes for compliance.


PCI PTS (PIN TRANSACTION SECURITY)

PCI PED 1.3 was brought under the PCI SSC umbrella in September 2007. The initial release of PCI

PED was version 1.3, harmonised the requirements of Visa and MasterCard and provided a security

baseline that the card brands felt represented a minimum level of security required in any PIN accepting

device. The standard attempted to balance the cost of compliance with the expense a criminal would

need to invest in an attack on a PED.

PCI PED 2.1 In July 2009 there was a transition between PCI PED version 1.3 and PCI PED version 2.0.

PCI PED version 1.3 devices are no longer being certified but can be sold until 2014. PCI PED version

2.1, which was published in July 2007 and in effect since 2008, was the requirement for all new devices

being certified by PCI endorsed laboratories. PCI PED 2.0 devices can be sold until 2017.

PCI PTS 3.1 PTS 3.1 is the most relevant and recent standard which all acceptance devices mounting in

on and off-street machines.


PCI PED HISTORY – NOW PCI PTS 3.1


PCI PED 2.1 COMPLIANT SECURE CARD READER

It de-couples the card reader from the PIN Entry Device (PED), so that non PIN acceptance solutions can be certified as compliant to

an appropriate and rigorous international standard.

PCI PTS 3.0 has SRED (Secure Read and Exchange Data): The SRED module ensures that cardholder account data is protected at

the point of acceptance, which will assist in meeting the required security considerations of the wider point-to-point security process.

Data that needs protecting could be a cardholder PIN, Chip or Magnetic Stripe data for example. In the case of vending machines,

parking machines, kiosk and any devices that accepts a cardholder card, reading data by means of magnetic stripe or chip contacts,

the data that is read from the card needs to be protected at the point of interaction onwards. This means a Secure Card Reader

(SCR) is needed.

A Secure Card Reader (SCR) needs to comply with all the relevant requirements of PIN Transaction Security PTS Point of Interaction

(POI) to provide adequate cardholder data protection.

An SCR that does not attach to a PIN Pad (non PIN is captured), for example a parking meter accepting electronic payments without

PIN validation is catered for by the requirements detailed in module entitled Secure reading And Exchange of Data (SRED).

The first SRED requirement is that all account data (for example magnetic stripe data or data read from a chip card) is either

encrypted immediately upon entry or entered in clear text into a secure device (a SCR) and processed within the secure controller of

the device." Other requirements define the level of protection against attack that the SCR is required to provide. The protection

required cannot be provided by commonly available card readers; a specialised SCR is required.

Another key requirement that must be met is for the SCR to contain an anti-removal mechanism that can protect against

unauthorised removal and against unauthorised re-installation.


THE EVOLUTION AND KEY CHANGES FROM THE 2.1 STANDARD ARE:


PCI PTS 3.1 APPROVED PIN TRANSACTION SECURITY DEVICES

One of the primary benefits of complying with the PTS 3.1 standard is that it caters for both PIN entry

Devices and card reader only solutions for low value (onstreet) transactions. The security standard is the

same, irrespective of whether a PIN or PINpad is used.

Typically, on street machines are solar powered and use GPRS with only a card reader attached.

Historically, these card readers have not encrypted the card date at point of insertion, nor have they had

physical tamper removal detection or ant skimming preventative systems in place. With the Payment

Express Secure Card Reader (SCR), Councils and Parking Operators can have confidence in the

security of sensitive information.

For off-street machines which have mains power, Windows OS or similar and facilitate higher value

transactions, a PIN Entry Device i.e. DPS Secure Keypad (SKP) is recommended. This allows for

acceptance of proprietary debit cards and large value EMV or Magstripe transactions which PIN is

mandated.

Using PTS 3.1 hardware also means that the Council or Parking Operator can use any IP

communication channel (GPRS, 3G, DSL etc) without dedicated leased lines as sensitive data is

encrypted end to end.


PRIMARY BENEFITS


SCR200 SECURE CARD READER AND DPS END TO END PAYMENT SOLUTION

Any merchant making a device purchase decision in 2012 or later should seriously considers the risks

associated with purchasing a non-PCI version 3.1 device.

Technically PCI PED version 1.3 and 2.1 devices can be still installed; however, these standards do not

cater for card reader (i.e. on street parking) solutions where PIN is not required.

Also, the earlier standards do not have the SRED requirement for end-end (enhanced) message

encryption.


RECOMMENDATION

FEATURES AND BENEFITS

UNATTENDED PRODUCT OVERVIEW

DPS is a global leader in card acceptance systems for unattended cashless

devices with over 30,000 machines connected to its network. DPS owns the

hardware design, intellectual property and processor platform for its flagship

product ‘Payment Express’, ensuring end to end accountability from card read

to bankcard provider

SCR200 standalone as No CVM, or with SKP200 and/or BRF200 Antenna

Compliant with the latest global security standards PCI PTS 3.x / PCI SRED

/ PCI DSS, PA-DSS and PCI UPT, EMVCo Level 1 & 2

Contactless Capable: Visa PayWave, MasterCard PayPass, Amex

ExpressPay

Employs 3DES end to end encryption with tamper detection

Real time monitoring and proactive alerting systems

24*7*365 support

Certified with leading parking manufacturers

Comes with Payment Manager

DPS UNATTENDED MODULAR SYSTEM

SCR200

SKP200

BRF200

UNATTENDED PRODUCT OVERVIEW

i9500 CARD READER & PINPAD

PCI PED 2.x compliant Chip and PIN device

Integrates with all leading manufacturers of vending, parking

fuel and OPT equipment

Tamper Resistant

Feature rich API

Process online real time transactions with offline standard in

capability

End to end message encryption

Real time monitoring and proactive alerting systems

24*7*365 support

Comes with Payment Manager

i9530 PINpad

i9550 Card Reader

THE LEADER IN PAYMENTS TECHNOLOGY

WE EMPOWER PAYMENT TECHNOLOGY FOR YOUR ADVANTAGE

SOLUTIONS

Innovative full-end-to-end cloud-based payment platform

Full Web-Based Reporting

On/Off Street Parking

Vending

POS Terminals

E-Commerce

OUR SERVICES

Core disciplines for your advantage

24/7 Support Service

Business Analysis

Project Management

Development

Quality Assurance

WE EXECUTE THE ATTITUDE AND KNOWHOW TO CONSTANTLY DELIVER GREAT RESULTS

Established 1997

Offices in Sydney, Auckland

Los Angeles and London

Certified in 10+ regions with

multiple banks and schemes

All IP and infrastructure

owned by DPS

15,000+ merchants

Direct VISA link

Per $20b of transactions p.a

Exceeds global security

standards

Largest independent IP

Payment Gateway in

Australasia

HOW WE

CONVERT

OUR

TECHNOLOGY

FOR YOUR

ADVANTAGE

Interwoven team

skills striving to

provide the best

solutions

Product innovation.

Excellence in

deployment and

support

Openness, enthusiasm,

and a passion for customer

satisfaction

Leaders in

payment development

OUR

PEOPLE

CULTURAL

FIT

EXECUTION

OUR

VISION

SOLUTIONS

SERVICES

AT A GLANCE CREDENTIALS

WE UNDERSTAND PAYMENTS TO THE FULL, AND WORK WITH A LEADING NETWORK OF PROVIDERS

SCHEME PARTNERS

BANKING PARTNERS

INDUSTRY PARTNERS

ANZ

Bank of South Australia

Bank West

BOQ

Citigroup

Commonwealth Bank

National Australia Bank

St George

Westpac

VISA

MasterCard

AMEX

Diners

Discover

Parking

Vending

Other Unattended

PORTALS, CONTENT, COLLABORATION

Broadband

EFTPOS

DPS and

Merchant Hosted

Payment Pages

Batch Processing

Parking, Kiosks,

Vending

MOTO

Transactions

Recurring Billing

Full Web-Based

Reporting

IVR

OVERVIEW OF PAYMENT EXPRESS TECHNOLOGY PORTFOLIO

PAYMENT EXPRESS

POINTS OF DIFFERENCIATION

Complete card acceptance platform

Largest IP and Payment Gateway in Australasia

EFTPOS, Batch, Call centre, Ecommerce, Mobile, Unattended payments

End to end accountability, from card capture to Acquirer / Issuer

Exceeds local and global security standards; compliance guaranteed

Product of choice for merchants in Australia & NZ

Extremely flexible and feature rich

Supplied under SaaS model

PAYMENT EXPRESS

DPS CAPABILITIES

One of the largest IBM server farms in Local Region

Payment Express processes via 6 datacentres,

including 2 in UK and 2 in Australia

DPS authorises 20 Million + transactions Per Month

No dependency on 3rd party software providers

Multiple host systems, UPS, failover switches, back up generators and offsite DR

Redundant GPRS connectivity option for EFTPOS solutions

99.999% availability

CONTACT

Stuart McGregor

Business Development Manager

PHONE: +61 2 8268 7700 | MOBILE: +61 417 619 757

EMAIL: [email protected]

www.paymentexpress.com

Technology

End to End PCI Compliant