Upload
stuart-mcgregor
View
845
Download
0
Tags:
Embed Size (px)
DESCRIPTION
DPS provide End to End PCI Compliant
Citation preview
Date Here
END TO END PCI COMPLIANT
PCI sets out a large number of standards designed to assist merchants, acquirers and their agents with
the task of protecting cardholder and other sensitive data. There are different elements to PCI which
deal with the different and complex nature of payments e.g. PCI standards around Ecommerce are
different to the standards required for Chip / PIN transactions. It should also be noted EMV is a separate
organisation and standard to PCI.
PCI DSS originally began as five different programs: Visa Card Information Security Program,
MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover
Information and Compliance, and the JCB Data Security Program. Each company’s intentions were
roughly similar: to create an additional level of protection for card issuers by ensuring that merchants
meet minimum levels of security when they store, process and transmit cardholder data. The Payment
Card Industry Security Standards Council (PCI SSC) was formed, and on 15 December 2004, these
companies aligned their individual policies and released the Payment Card Industry Data Security
Standard (PCI DSS).
END TO END PCI COMPLIANT
INTRODUCTION
END TO END PCI COMPLIANT
The PCI DSS applies to any entity that stores, processes, and/or transmits cardholder data. It covers
technical and operational system components included in or connected to cardholder data. If your
business accepts or processes payment cards, it must comply with the PCI DSS.
END TO END PCI COMPLIANT
PCI DSS (12 X DATA SECURITY STANDARDS)
The PA-DSS is for software developers and integrators of applications that store, process or transmit
cardholder data as part of authorization or settlement. It governs these applications that are sold,
distributed or licensed to third parties.
END TO END PCI COMPLIANT
PCI PA-DSS (14 X PAYMENT APPLICATION – DATA SECURITY STANDARDS)
This standard, referred to as PTS, applies to companies which make devices that accept personal
identification number (PIN) entry for all PIN-based transactions. Merchants and service providers should
use PTS approved devices and should check with their acquiring financial institution to understand
requirements and associated timeframes for compliance.
END TO END PCI COMPLIANT
PCI PTS (PIN TRANSACTION SECURITY)
PCI PED 1.3 was brought under the PCI SSC umbrella in September 2007. The initial release of PCI
PED was version 1.3, harmonised the requirements of Visa and MasterCard and provided a security
baseline that the card brands felt represented a minimum level of security required in any PIN accepting
device. The standard attempted to balance the cost of compliance with the expense a criminal would
need to invest in an attack on a PED.
PCI PED 2.1 In July 2009 there was a transition between PCI PED version 1.3 and PCI PED version 2.0.
PCI PED version 1.3 devices are no longer being certified but can be sold until 2014. PCI PED version
2.1, which was published in July 2007 and in effect since 2008, was the requirement for all new devices
being certified by PCI endorsed laboratories. PCI PED 2.0 devices can be sold until 2017.
PCI PTS 3.1 PTS 3.1 is the most relevant and recent standard which all acceptance devices mounting in
on and off-street machines.
END TO END PCI COMPLIANT
PCI PED HISTORY – NOW PCI PTS 3.1
END TO END PCI COMPLIANT
PCI PED 2.1 COMPLIANT SECURE CARD READER
It de-couples the card reader from the PIN Entry Device (PED), so that non PIN acceptance solutions can be certified as compliant to
an appropriate and rigorous international standard.
PCI PTS 3.0 has SRED (Secure Read and Exchange Data): The SRED module ensures that cardholder account data is protected at
the point of acceptance, which will assist in meeting the required security considerations of the wider point-to-point security process.
Data that needs protecting could be a cardholder PIN, Chip or Magnetic Stripe data for example. In the case of vending machines,
parking machines, kiosk and any devices that accepts a cardholder card, reading data by means of magnetic stripe or chip contacts,
the data that is read from the card needs to be protected at the point of interaction onwards. This means a Secure Card Reader
(SCR) is needed.
A Secure Card Reader (SCR) needs to comply with all the relevant requirements of PIN Transaction Security PTS Point of Interaction
(POI) to provide adequate cardholder data protection.
An SCR that does not attach to a PIN Pad (non PIN is captured), for example a parking meter accepting electronic payments without
PIN validation is catered for by the requirements detailed in module entitled Secure reading And Exchange of Data (SRED).
The first SRED requirement is that all account data (for example magnetic stripe data or data read from a chip card) is either
encrypted immediately upon entry or entered in clear text into a secure device (a SCR) and processed within the secure controller of
the device." Other requirements define the level of protection against attack that the SCR is required to provide. The protection
required cannot be provided by commonly available card readers; a specialised SCR is required.
Another key requirement that must be met is for the SCR to contain an anti-removal mechanism that can protect against
unauthorised removal and against unauthorised re-installation.
END TO END PCI COMPLIANT
THE EVOLUTION AND KEY CHANGES FROM THE 2.1 STANDARD ARE:
END TO END PCI COMPLIANT
PCI PTS 3.1 APPROVED PIN TRANSACTION SECURITY DEVICES
One of the primary benefits of complying with the PTS 3.1 standard is that it caters for both PIN entry
Devices and card reader only solutions for low value (onstreet) transactions. The security standard is the
same, irrespective of whether a PIN or PINpad is used.
Typically, on street machines are solar powered and use GPRS with only a card reader attached.
Historically, these card readers have not encrypted the card date at point of insertion, nor have they had
physical tamper removal detection or ant skimming preventative systems in place. With the Payment
Express Secure Card Reader (SCR), Councils and Parking Operators can have confidence in the
security of sensitive information.
For off-street machines which have mains power, Windows OS or similar and facilitate higher value
transactions, a PIN Entry Device i.e. DPS Secure Keypad (SKP) is recommended. This allows for
acceptance of proprietary debit cards and large value EMV or Magstripe transactions which PIN is
mandated.
Using PTS 3.1 hardware also means that the Council or Parking Operator can use any IP
communication channel (GPRS, 3G, DSL etc) without dedicated leased lines as sensitive data is
encrypted end to end.
END TO END PCI COMPLIANT
PRIMARY BENEFITS
END TO END PCI COMPLIANT
SCR200 SECURE CARD READER AND DPS END TO END PAYMENT SOLUTION
Any merchant making a device purchase decision in 2012 or later should seriously considers the risks
associated with purchasing a non-PCI version 3.1 device.
Technically PCI PED version 1.3 and 2.1 devices can be still installed; however, these standards do not
cater for card reader (i.e. on street parking) solutions where PIN is not required.
Also, the earlier standards do not have the SRED requirement for end-end (enhanced) message
encryption.
END TO END PCI COMPLIANT
RECOMMENDATION
FEATURES AND BENEFITS
UNATTENDED PRODUCT OVERVIEW
DPS is a global leader in card acceptance systems for unattended cashless
devices with over 30,000 machines connected to its network. DPS owns the
hardware design, intellectual property and processor platform for its flagship
product ‘Payment Express’, ensuring end to end accountability from card read
to bankcard provider
SCR200 standalone as No CVM, or with SKP200 and/or BRF200 Antenna
Compliant with the latest global security standards PCI PTS 3.x / PCI SRED
/ PCI DSS, PA-DSS and PCI UPT, EMVCo Level 1 & 2
Contactless Capable: Visa PayWave, MasterCard PayPass, Amex
ExpressPay
Employs 3DES end to end encryption with tamper detection
Real time monitoring and proactive alerting systems
24*7*365 support
Certified with leading parking manufacturers
Comes with Payment Manager
DPS UNATTENDED MODULAR SYSTEM
SCR200
SKP200
BRF200
UNATTENDED PRODUCT OVERVIEW
i9500 CARD READER & PINPAD
PCI PED 2.x compliant Chip and PIN device
Integrates with all leading manufacturers of vending, parking
fuel and OPT equipment
Tamper Resistant
Feature rich API
Process online real time transactions with offline standard in
capability
End to end message encryption
Real time monitoring and proactive alerting systems
24*7*365 support
Comes with Payment Manager
i9530 PINpad
i9550 Card Reader
THE LEADER IN PAYMENTS TECHNOLOGY
WE EMPOWER PAYMENT TECHNOLOGY FOR YOUR ADVANTAGE
SOLUTIONS
Innovative full-end-to-end cloud-based payment platform
Full Web-Based Reporting
On/Off Street Parking
Vending
POS Terminals
E-Commerce
OUR SERVICES
Core disciplines for your advantage
24/7 Support Service
Business Analysis
Project Management
Development
Quality Assurance
WE EXECUTE THE ATTITUDE AND KNOWHOW TO CONSTANTLY DELIVER GREAT RESULTS
Established 1997
Offices in Sydney, Auckland
Los Angeles and London
Certified in 10+ regions with
multiple banks and schemes
All IP and infrastructure
owned by DPS
15,000+ merchants
Direct VISA link
Per $20b of transactions p.a
Exceeds global security
standards
Largest independent IP
Payment Gateway in
Australasia
HOW WE
CONVERT
OUR
TECHNOLOGY
FOR YOUR
ADVANTAGE
Interwoven team
skills striving to
provide the best
solutions
Product innovation.
Excellence in
deployment and
support
Openness, enthusiasm,
and a passion for customer
satisfaction
Leaders in
payment development
OUR
PEOPLE
CULTURAL
FIT
EXECUTION
OUR
VISION
SOLUTIONS
SERVICES
AT A GLANCE CREDENTIALS
WE UNDERSTAND PAYMENTS TO THE FULL, AND WORK WITH A LEADING NETWORK OF PROVIDERS
SCHEME PARTNERS
BANKING PARTNERS
INDUSTRY PARTNERS
ANZ
Bank of South Australia
Bank West
BOQ
Citigroup
Commonwealth Bank
National Australia Bank
St George
Westpac
VISA
MasterCard
AMEX
Diners
Discover
Parking
Vending
Other Unattended
PORTALS, CONTENT, COLLABORATION
Broadband
EFTPOS
DPS and
Merchant Hosted
Payment Pages
Batch Processing
Parking, Kiosks,
Vending
MOTO
Transactions
Recurring Billing
Full Web-Based
Reporting
IVR
OVERVIEW OF PAYMENT EXPRESS TECHNOLOGY PORTFOLIO
PAYMENT EXPRESS
POINTS OF DIFFERENCIATION
Complete card acceptance platform
Largest IP and Payment Gateway in Australasia
EFTPOS, Batch, Call centre, Ecommerce, Mobile, Unattended payments
End to end accountability, from card capture to Acquirer / Issuer
Exceeds local and global security standards; compliance guaranteed
Product of choice for merchants in Australia & NZ
Extremely flexible and feature rich
Supplied under SaaS model
PAYMENT EXPRESS
DPS CAPABILITIES
One of the largest IBM server farms in Local Region
Payment Express processes via 6 datacentres,
including 2 in UK and 2 in Australia
DPS authorises 20 Million + transactions Per Month
No dependency on 3rd party software providers
Multiple host systems, UPS, failover switches, back up generators and offsite DR
Redundant GPRS connectivity option for EFTPOS solutions
99.999% availability
CONTACT
Stuart McGregor
Business Development Manager
PHONE: +61 2 8268 7700 | MOBILE: +61 417 619 757
EMAIL: [email protected]
www.paymentexpress.com