8. dave.witts@creditcall.com www.Creditcall.com/emv-migration
philipyu@t2systems.com www.T2Systems.com
P2PE PCI P2PE (Certified ) P2PE (Non-Certified)
P2PE implementation manual
for merchant to follow
Mandatory - Merchants must follow PIM to get PCI P2PE protectionNot defined
Secure supply chain Mandatory - Merchants must use scheme defined by solution
provider
Not defined
PCI DSS de-scoping Yes - If merchant is only using PCI P2PE certified solution to take
card payments; Merchants can complete a PCI DSS SAQ designed
for P2PE
No - It remains each processor’s
decision as to whether the solution
offers any de-scoping of PCI DSS
PINpad key injection cost Yes Yes
PINpad encryption licence cost Yes Yes
Solution provider costs to
provide encryption
Yes Yes
Certification costs Solution provider has to cover costs of P2PE assessment. Merchant
should have lower PCI DSS costs if only using certified solution
Merchant has all the cost of PCI
DSS
P2PE vs. PCI P2PE
9. dave.witts@creditcall.com www.Creditcall.com/emv-migration
philipyu@t2systems.com www.T2Systems.com
Tokenization
• “The replacement of a credit card number and expiry
date with a non-sensitive equivalent that has no
exploitable value.”
• A Payment Gateway organisation would return a token
of the card number and expiry date for every
transaction authorization received. This can be stored
by the merchant with no special precautions, and used
in place of the actual card number for any subsequent
transaction.
17 November 2015 | 9
12. dave.witts@creditcall.com www.Creditcall.com/emv-migration
philipyu@t2systems.com www.T2Systems.com
What Happens During EMV Certification –
Typically up to 16 Months
1) Select an EMV Card Reader – 3 Months
• A card reader is where a large part of an EMV transaction takes place
through a complex dialogue between the chip card and the reader.
• Integration must invest time in learning about EMV (e.g. Application
Selection, Data Authentication, Online Processing and Issuer Script
Processing), transaction flows, transaction logic and of course, exception
handling when an inevitable error occurs in the transaction.
17 November 2015 | 12
13. dave.witts@creditcall.com www.Creditcall.com/emv-migration
philipyu@t2systems.com www.T2Systems.com
What Happens During EMV Certification –
Typically up to 16 Months
2) Processor Interfaces and EMV Messages – 6 Months
• Different processors require every interface will need to be modified to
support the new EMV data fields and process flows.
• Most interfaces are based on legacy code developed many years ago, the
addition of new features such as EMV becomes an increasingly difficult task.
• Processors will have scaled their integration support sufficiently to cope with
the mass of other integrators who will be following the same path.
17 November 2015 | 13
14. dave.witts@creditcall.com www.Creditcall.com/emv-migration
philipyu@t2systems.com www.T2Systems.com
What Happens During EMV Certification –
Typically up to 16 Months
3) Card Brand Certifications – 4 months
• Once processor interfaces have been updated, the complex task of end-
to-end testing and certification begins.
• M-TIP/ADVT/AEIPS/DPAS are the 4 different testing types required.
• Processors have not been able to cope with the volume of certifications
required before the October 2015 Liability Shift and continue to struggle.
• This is NOT a one-time process – it must be repeated every three years
when the EMV Kernel certification on the card reader expires.
17 November 2015 | 14
15. dave.witts@creditcall.com www.Creditcall.com/emv-migration
philipyu@t2systems.com www.T2Systems.com
What happens during EMV certification –
Typically 16 months
4) Terminal Management System – 3 months
• It is essential that any EMV solution deployed has access to a TMS
platform for efficient and timely deployment of updates.
• Without a TMS platform, there is a risk of having card readers
without current software or the latest configuration.
17 November 2015 | 15
16. dave.witts@creditcall.com www.Creditcall.com/emv-migration
philipyu@t2systems.com www.T2Systems.com
Current State of US EMV Certifications
• Unattended certifications have been delayed due to
attended taking priority by the processors.
• Attended has larger $$ volumes that concern processors
• Unattended certifications are scheduled to start in Q4
2015 with a 3-4 month window of completion.
• If certification fails at any stage, must start from the
beginning, important that all is ready before certification.
17 November 2015 | 16
17. dave.witts@creditcall.com www.Creditcall.com/emv-migration
philipyu@t2systems.com www.T2Systems.com
Current State of US EMV Certifications
VeriFone VX820 for attended transactions currently EMV
certified with First Data and Chase. EMV certification with Elavon
expected Q4 2015, Global Payments & TSYS Q1 2016,
Heartland Q2 2016.
Globalcom BV1000 for unattended transactions has EMV
scheduled certifications with First Data, Chase, Elavon, Global
Payments, Vantiv, & TSYS Q2 2016 , Heartland scheduled for Q3
2016.
17 November 2015 | 17
19. dave.witts@creditcall.com www.Creditcall.com/emv-migration
philipyu@t2systems.com www.T2Systems.com
What is P2PE Certification
It is a solution comprising of components that store, processes
and transmit account data as part of a payment authorization or
settlement, while performing cryptographic key management
functions.
Every transaction is uniquely encrypted at source and only
decrypted once in the secure Payment Gateway for processor
authorization.
17 November 2015 | 19
?!
@#
20. dave.witts@creditcall.com www.Creditcall.com/emv-migration
philipyu@t2systems.com www.T2Systems.com
What is P2PE Certification
The solution is deployed and maintained in a fully traceable, and secure
manner with clearly defined roles and responsibilities for all parties
involved throughout the life of the product thus ensuring compliance
integrity.
The PCI SSC certify that the solution meets the PCI P2PE standards
and list the solution on the PCI website:
17 November 2015 | 20
https://www.pcisecuritystandards.org/approved_companies_providers/validated_
p2pe_solutions.php
22. 17 November 2015 | 22dave.witts@creditcall.com www.Creditcall.com/emv-migration
philipyu@t2systems.com www.T2Systems.com
Manufacturers
PCI PTS
PIN Entry Devices
Software
Developers
PCI PA-DSS
Payment
Application Vendors
Acquirers, Payment
Gateways,
Software
Developers & KIFs
PCI P2PE
Security Standard
Merchant &
Processors
PCI DSS
Data Security
Standard
Potentially
Reduced
The PCI Family & Relationship
23. 17 November 2015 | 23dave.witts@creditcall.com www.Creditcall.com/emv-migration
philipyu@t2systems.com www.T2Systems.com
Review of P-RoV by the PCI SSC
The P2PE Assessor determines the scope and assesses key-injection facilities,
Certification Authorities, device, applications, deployment and merchant support
mechanisms. They prepare the P-RoV and submit to the PCI SSC for review
The P2PE Solution Provider the provides access to the P2PE solution to the
Assessor
The P2PE Solution Provider Selects a P2PE Assessor • Solution Provider must have confidence
of compliance before starting the
assessment.
• The assessment is completed by a
independent PCI approve QSA
assessor.
• Involves evidence gathering and
potentially multiple site visits to produce
a P2PE Report of Validation (P-RoV)
• PCI SSC review and listing timescales
determined by the quality of the P-RoV
and the PCI SSC workload.
The P2PE Assessment Process
25. If you have any questions, please contact:
Dave Witts
President of US Payment Systems
Creditcall Corporation
1133 Broadway, Suite 706, New York, NY 10010
609 339 9080
dave.witts@creditcall.com
Dave.Witts59
If you have any questions, please contact:
Philip Yu
Director, Product Management
T2 Systems
8900 Keystone Crossing, Suite 700, Indianapolis, Indiana 46240
317 524 7470
philipyu@t2systems.com
Editor's Notes
Can the main text in here please be in the Creditcall dark purple