Introduction to Credit Card Standards Payment Card Industry (PCI) & Europay, MasterCard and Visa (EMV)

9-July-2018 v2.1 PCI3x

INTRODUCTION TO CREDIT CARD STANDARDS �1

EnvisionWare eCommerce Services™ is a collaborative development between the leading provider of enterprise library self service and the leading global providers of technology for electronic payment transactions and value-added services at the point of sale.

Table of Contents

Introduction to Credit Card Standards 1

Table of Contents 2

Introduction 4

Quick Start - EnvisionWare Compliance with PCI 3x 5

Terminology 6

Comprehensive Review of PCI 3x Compliance 8

Validation Documents 8

Certifications for the Verifone System (USA) 9

• Document 1: Verifone / EnvisionWare Validation Letter 9

• Document 2: Terminals 9

• Document 3: Gateway / Hosting 10

• Document 4: EMV Certification 10

• Document 5: EnvisionWare Hosting (AWS) 11

• A Sixth Document - SSAE16 SOC2 11

Certifications for PaymentExpress (Australia, Canada, Ireland) 12

• Document 1: PaymentExpress / EnvisionWare Validation Letter 12

• Document 2: Terminals 12

• Document 3: Gateway / Hosting 13

• Document 4: EMV Certification 13

Certifications for SecurePay (Australia) and Chase Paymentech (Canada) 15

Selecting a Processor / Acquirer 15

PCI Standard 16

PCI Assurance 17

EMV (Chip and PIN / NFC) 18

Transport Layer Security (TLS) 19

INTRODUCTION TO CREDIT CARD STANDARDS �2

3-D Secure 19

Workflows 20

• Web Workflow 20

• Terminal Payment Workflow 21

Merchant Levels 21

Certifications and Documentation 22

Advanced Documentation 23

Network Diagrams 23

Verifone VeriShield Total Protect White Paper 23

For Further Study 23

INTRODUCTION TO CREDIT CARD STANDARDS �3

Introduction

This document is intended as an introductory overview for libraries adopting eCommerce solutions for the first time or for those migrating from legacy solutions. The information contained herein is for general information and guidance. It does not replace the knowledge and information libraries should receive from your acquirer or processor, a Qualified Security Accessor (QSA) or a firm providing services related to self assessment.

Many customers express concern over PA-DSS and PCI, which is why EnvisionWare focuses on making PCI compliance safe and easy. Confusion mounts when standards evolve and when widespread misinformation is spread, whether accidentally or by design. Some organizations use fear as a method for scaring customers into making major, costly and often unnecessary changes. Neither EnvisionWare nor any other third party vendor has the final authority on what is acceptable - that rests with your acquirer or processor.

EnvisionWare is committed to making the lives of our customers easy. That means we take very seriously any changes that may affect product designs and we leverage our long history of service to public libraries as a guide to delivering technical information that is clear, concise and factual. As part of a new procurement, our Implementation Consultants provide education and guidance for securing library PCI compliance.

Regardless of your initial PCI compliance status, EnvisionWare protects customers with PCI Breach Protection, offering an annual maximum protection of $500,000.00 and $100,000.00 per incident. Not only are you covered for a breach, you are also covered for the expense of investigating a potential breach. And while we absolutely want every customer to be in full compliance with PCI, our customers are still protected under the insurance policy even if not PCI compliant!

INTRODUCTION TO CREDIT CARD STANDARDS �4

EnvisionWare provides breach protection for all

US eCommerce customers with annual coverage

$500,000.00 and a per incident amount of

$100,000.00. There is a ZERO deductible

Quick Start - EnvisionWare Compliance with PCI 3x

For the purposes of PCI, libraries are merchants. While libraries tend to think of merchants as businesses, when it comes to accepting credit cards, libraries are merchants. Everything that applies to a retail merchant applies to a library.

Providers like EnvisionWare are required to provide PA-DSS compliant solutions that protect cardholder data.

Merchants like libraries are required to become PCI compliant. Unless you are part of a large municipality that manages PCI centrally and which uses a Qualified Security Accessor (QSA) , you will complete a PCI Self Assessment Questionnaire (SAQ). You can perform this online at Trustwave, ControlScan or one of several other providers — or you can accept the recommendations of your chosen merchant processor.

Your merchant processor or acquirer makes determinations about compliance requirements for your library. Some processors are more lenient than others.

The typical request is for delivery of a copy of your provider’s Attestation of Compliance (AOC). A list of document links is provided in the section called Certifications. Customers may log into the EnvisionWare Customer Center at http://support.envisionware.com, Select Knowledge Base, and locate article KB 1930. Any licensed customer can access this article any time . The article contains all of the current certification 1

information. Use of the actual form is generally preferred over complex searches of the PCI website. If you wish to perform a PCI website search please read the more comprehensive information later in this document.

This is because you are obligated to protect the information according to the End User License Agreement.1

INTRODUCTION TO CREDIT CARD STANDARDS �5

Which SAQ?Customers report that they are completing the following:

For WEB transactions:Current customers are completing SAQ A.

For TERMINAL transactions:Customers are completing SAQ P2PE.

If you are a prospective customer, we require a non-disclosure agreement for access to the full AOC because certain information contained in the current AOC form is more extensive and revealing than prior documents and we are required to obtain assurance of protection by the gateway providers (Verifone, PaymentExpress, Moneris, SecurePay and Chase Paymentech).

Terminology

Acquirer: A bank or financial institution that processes credit card payments. Also called Merchant Bank.

AOC: Attestation of Compliance - a declaration of compliance that has been executed by a QSA (Qualified Security Assessor).

AVS: Address Verification System. This is the additional information such as zip, address or CCV2 that is used in addition to the card number as an assurance of a valid user.

BIN: Bank Identification Number - the first 6 digits of a card number, it identifies the financial institution that issued the card.

Cardholder: Consumer or non-consumer to whom a payment card is issued (patron).Cardholder Data: PAN (credit card number), name, expiration date and service code. Systems must also protect full magnetic stripe data, CVV, PINS, PIN blocks and card validation codes.

EMV: Europay, MasterCard and Visa www.emvco.com. This standard defines the software and hardware compliance for chip and signature, chip and PIN, and contactless payment.

Gateway: An eCommerce application service provider service that authorizes credit card payments. PAYware (Connect and POINT), PaymentExpress and SecurePay are examples of the gateway service in this system.

INTRODUCTION TO CREDIT CARD STANDARDS �6

EVERY aspect of cardholder capture and processing is under the control of Verifone, PaymentExpress, SecurePay, Chase Paymentech or Moneris.

Merchant: ANY entity that accepts credit cards from: Amex, Discover, JCB, MasterCard or Visa (this includes every entity whether for profit, non-profit, government or commercial that accepts credit cards as a form of payment). A library is a merchant.

Merchant Acquirer: An entity that solicits merchants on behalf of an Acquiring Bank for payment card acceptance and enables card payments from customers. These can be banks but banks can also be resellers of other acquirer services like Paymentech, First Data, Elavon, TSYS, etc.

NFC: Near Field Communication (contactless using ~ RFID). Contactless credit cards (touch and go) and Apple Pay are examples of NFC technology.

P2PE: Point-to-Point Encryption standard. Terminals encrypt data and transmit an encrypted packet to the gateway.

PA-DSS: Payment Application Data Security Standard (provider compliance)PAN: Primary Account Number (credit card number)PCI: Payment Card IndustryPCI DSS: Payment Card Industry Data Security Standard (merchant compliance)Payment Application: Software that stores, processes or transmits cardholder data as part of an authorization or settlement, where the payment application is sold, distributed, or licensed to third parties.

Personally Identifiable Information: Information that can be utilized to identify an individual such as cardholder name, address, social security number and phone number.

Processor: A company that communicates with issuing banks to authorize and settle complete credit card transactions.

QSA: Qualified Security Assessor - a company approved to validate adherence to PCI DSS requirements.

Redirect: An instance of redirecting something from one address to another such as a URL for a web page. A user in Australia that types www.google.com into the browser will likely be redirected seamlessly to www.google.com.au.

SAQ: Self-Assessment Questionnaire — a reporting tool used to document self assessment results of merchant’s PCI DSS assessment. There are various types of SAQs dependent on the use (eCommerce or kiosk / point of sale) and the system architecture.

Terminal: A device that encrypts and transmits card data to a gateway.

INTRODUCTION TO CREDIT CARD STANDARDS �7

Comprehensive Review of PCI 3x Compliance

Validation DocumentsThere are four basic documents that represent the certifications for the system when

implemented with Verifone or PaymentExpress:1. Verifone or Payment Express / EnvisionWare validation.2. Terminals3. Gateway / Hosting4. EMVThere may also be an accounting standard that applies in either case. In addition, some

customers use a hosted implementation of the eCommerce Server, for which an additional document may be used.

For SecurePay, Moneris or Chase Paymentech, certification information is provided when a customer engaged with these providers.

Some of this information is published on the PCI Security Standards Council website, which is considered the authoritative source of all PCI validation information. In the event that the documentation provided in the EnvisionWare Knowledge Base is insufficient and your processor requires online documentation from the PCI website, your searches will focus on Verifone, not EnvisionWare. This is because EnvisionWare and Verifone entered into a partnership for providing eCommerce solutions in the USA in 2005. EnvisionWare eCommerce Services was the first multi-ILS product for paying fines via the web and at kiosks. It is the first product to offer a combination of web, terminal, credit card, charge, deposit account and cash and vending support in a single system.

Information about EMV is published at emvco.com, the worldwide interoperability organization focused on Chip and PIN/Chip and Signature and Contactless payment.

Each processor certifies a provider. The same Knowledge Base article contains a list of the currently supported options per processor. This chart is updated continuously as we add more certifications as a result of customer requests.

INTRODUCTION TO CREDIT CARD STANDARDS �8

Terminal Security ModelThe terminal security model is described in a 1-minute video at http://

www.envisionware.com/ecommerce_security. This technical discussion

explains the overall model for kiosk, Point of Sale, Print, Copy, Fax, Scan, Fine.

Certifications for the Verifone System (USA)

• Document 1: Verifone / EnvisionWare Validation Letter

This letter serves to validate EnvisionWare as being in full compliance with the Verifone Point technology and services.

• Document 2: Terminals

The Payment Card Industry (PCI) Security Standards Council Letter of Approval - PCI PIN Transaction Security Testing Program.

The latest of these is provided in the KB solution referenced above. The credit card terminal is currently certified through the year 2023.

INTRODUCTION TO CREDIT CARD STANDARDS �9

• Document 3: Gateway / Hosting

The Attestation of Compliance (AOC) for Onsite Assessments - Service Providers is an AOC for the Verifone PAYware/POINT gateway service. This covers the gateway / web portion of the system as well as communication to the terminal. The terminal end point is covered above.It is important to note that an AOC has a date on the

COVER of the document that represents the date the FORM was created, not the date of certification. You can locate the certification date near the last page of the current AOC. AOCs expire annually. If you find, for example, that the

current AOC expires in September, you can re-visit the Knowledge Base Article (1930) on or after the expiration date to locate the updated AOC. The complete AOC is available only to licensed customers and only by accessing the AOC and related forms by logging into the EnvisionWare Customer Center. If you do not have a login ID you can request one at the Customer Center.

Prospective customers can be assured of continual compliance with the AOC for a number of reasons. Verifone is one of the largest providers of eCommerce solutions in the world. EnvisionWare is one of the largest providers of library self service solutions in the world. In order for us to protect ourselves it is in our best interest to provide only compliant solutions.

• Document 4: EMV Certification

EMV: Europay, MasterCard and Visa, is a standard for Chip and Contactless transactions designed to enhance security of card present transactions. EMVCO.Com provides a listing of the certified systems that support chip and contactless transactions.

INTRODUCTION TO CREDIT CARD STANDARDS �10

• Document 5: EnvisionWare Hosting (AWS)

Customers using EnvisionWare eCommerce Server as a hosted service can view the AOC for Amazon Web Services. Note that the EnvisionWare eCommerce Server is out of scope for PCI. Out of scope means that the component is not in the path of nor does it store or receive any cardholder data. Some customers have requested assurance that the eCommerce server is in an AOC-compliant hosting provider.

• A Sixth Document - SSAE16 SOC2

Some larger municipalities are adopting a broad array of accounting audit standards that go beyond auditing of financials to include how infrastructure is managed including server security procedures. This certification is NOT a component of PCI or standard transaction compliance widely known today. Rather, it is an accounting standard. The specific certification is SSAE 16 SOC2. EnvisionWare maintains current SOC2 compliance information on file. Access to this information is by request only and it requires execution of a non-disclosure agreement by any party wishing to access the information.

INTRODUCTION TO CREDIT CARD STANDARDS �11

Certifications for PaymentExpress (Australia, Canada, Ireland)

• Document 1: PaymentExpress / EnvisionWare Validation Letter

This letter serves to validate EnvisionWare as being in full compliance with the PaymentExpress technology and services.

• Document 2: Terminals

The PCI website certification listing is available online for the Ingenico iPP350 terminal. The latest of these is provided in the KB solution referenced above. The credit card terminal is currently certified through the year 2020.

INTRODUCTION TO CREDIT CARD STANDARDS �12

• Document 3: Gateway / Hosting

The Attestation of Compliance (AOC) for Onsite Assessments - Service Providers is an AOC for the PaymentExpress gateway service. This covers the gateway / web portion of the system as well as communication to the terminal. The terminal end point is covered above.It is important to note that an AOC has a date on the

COVER of the document that represents the date the FORM was created, not the date of certification. You can locate the certification date near the last page of the current AOC. AOCs expire annually. If you find, for example, that the current AOC expires in September, you can re-visit the Knowledge Base Article (2553) on or after the expiration

date to locate the updated AOC. The complete AOC is available only to licensed customers and only by accessing the AOC and related forms by logging into the EnvisionWare Customer Center. If you do not have a login ID you can request one at the Customer Center.

Prospective customers can be assured of continual compliance with the AOC for a number of reasons. PaymentExpress is a global provider of eCommerce solutions. EnvisionWare is one of the largest providers of library self service solutions in the world. In order for us to protect ourselves it is in our best interest to provide only compliant solutions.

• Document 4: EMV Certification

EMV, Europay, MasterCard and Visa, is a standard for Chip and Contactless transactions designed to enhance security of card present transactions. EMVCO.Com represents a collaboration of American Express, Discover, JCB, MasterCard, UnionPay, and Visa, and it is supported by banks, processors and vendors like PaymentExpress and EnvisionWare around the world.

The primary form of transaction is Chip and PIN (something you have - the chip card) and something you know - the PIN). The US has been slow to adopt the Chip style card as

INTRODUCTION TO CREDIT CARD STANDARDS �13

well as contactless payments like ApplePay. As a result, the card processors have determined when they will accept Chip and Signature and when Chip and PIN is required. It is likely that at some point in the future all transactions will be Chip and PIN once all merchants and cardholders possess the cards and terminals.

NOTE: Each card issuer determines whether a transaction is Chip and PIN, Chip and Signature, or Swipe. No other entity has control over this.

INTRODUCTION TO CREDIT CARD STANDARDS �14

Certifications for SecurePay (Australia) and Chase Paymentech (Canada)

These implementations are for web-based payments only - credit card terminals are not supported. Customers engage directly with these providers who will provide their certifications as part of registering for the service.

The EnvisionWare implementation for Chase Paymentech uses the Orbital Gateway Hosted Payment API.

The implementation for SecurePay uses the SecureFrame API.

Selecting a Processor / AcquirerCustomers may engage with their bank or any other bank as well as directly with

processors. A processor is a service that connects to the card issuers like Visa, MC, Amex and others. Processors include TSYS, FirstData, Elavon and others. Many libraries assume that they must use the service provided by their bank. Generally speaking, banks are acting as a reseller for a specific processor. There is a financial arrangement between the bank and the processor so that the bank can generate income from selling the processing service.

Any processor can deposit into virtually any bank. Rates vary greatly which is why it’s a good idea to shop for the best rates, particularly since libraries have a typical transaction amount of around $17.00.

The Knowledge Base article 1930 lists the currently supported processors in Verifone Validated Processors. A quick web search will lead customers to the various entities. Not only do rates vary, but so does the complexity of the relationship. Some processors are more rigid than others. As with any service, it’s important to select a company you want to do business with and one that provides the best VALUE for the combination of service and price.

INTRODUCTION TO CREDIT CARD STANDARDS �15

PCI Standard

PCI is the standards organization that works to define requirements and standards to assure transaction compliance and security.

As a merchant, a library is required to become PCI-compliant by successfully completing one or more Self Assessment Questionnaires (SAQs) each year. A company like Trustwave provides a relatively easy on-line system for completing a self assessment and starting a routine vulnerability scan of your system. Larger systems and municipalities will usually contract with a Qualified Security Assessor (QSA) who will provide guidance and perform an audit. This firm will generally complete the certification process.

There are a number of areas of your library operation that are affected by PCI. Aside from the payment system compliance, there are operational considerations such as changing passwords every 90 days; limiting the number of staff that have access to systems; eliminating acceptance of card information via fax, email or telephone. You can use Trustwave to gain a better understanding of the requirements and you can use the online wizard to complete your self assessment. (EnvisionWare is not affiliated with Trustwave - we cite this company as an example because of customer feedback and our own use of Trustwave to certify our Customer Center for credit card payments.)

You are required to maintain a chain of custody for terminals. This means that upon arrival at your door you must ensure that packages are not opened and that they are kept secure during storage and especially during rollout. You cannot leave terminals to be installed unattended at any time.

In. the case of passwords, most organizations rarely require password changes more than once a year, but your commerce system passwords must be changed every 90 days. They must be secure (the longer the better) and you must limit the number of people that possess the passwords. You should never give an commerce password to anyone outside your organization, even EnvisionWare. If you do give an commerce password to EnvisionWare for troubleshooting, you must change it upon completion of the Support Case.

You cannot accept cardholder information in any written form, whether handwritten in front of you, via Fax or email, or by telephone. The Self Assessment process will inform you about the various attributes of compliance because you will be asked to assert what you will and will not do. Upon completion of your self assessment you should educate all staff about the important attributes of library policy affected by compliance.

INTRODUCTION TO CREDIT CARD STANDARDS �16

While your staff are trusted individuals, the fact that many breaches in eCommerce occur from internal breach throughout the industry means that any investigation into a breach will include questions of your staff. They need to know the policies so they can protect themselves and your library.

PCI Assurance

PCI Assurance is a program designed to orient you to some of the general guidelines related to eCommerce, processors, self assessment and breach protection . The day you go 2

live you are covered by EnvisionWare’s PCI Protection Program, which gives you $500,000.00 of annual breach protection with a limit of $100,000.00 per incident.

Here are key attributes of the insurance:• ZERO deductible• Payment within 30 days is typical• Coverage not only for a breach but also for the costs of

investigating a suspected breach• Coverage even if you are not PCI-compliant (but you must

become compliant if a claim occursIn addition, under our PCI Assurance program, customers

using the terminal subscription program are protected against obsolescence. Hundreds of outdated terminals were replaced in the past as a result of long-time customers having terminals before the publication of the newest EMV standards. In contrast to customers that may have purchased terminals from other companies, EnvisionWare customers are protected under the Assurance Program. We replaced terminals without a capital loss for our customers. Our customers are now upgraded to the latest terminals that are in complete compliance with the current EMV standards.

EnvisionWare can provide general information, however only a QSA (Qualified Security Assessor) is 2

authorized to certify or deliver authoritative information related to PCI compliance. We have access to QSAs as needed, but for the most part, libraries can conduct self assessments and use online educational materials.

INTRODUCTION TO CREDIT CARD STANDARDS �17

EMV (Chip and PIN / NFC)

EMV is an acronym for Europay, MasterCard and Visa. These companies joined forces to promote a standard for ensuring compliance in card present, chip-based transactions. Credit cards with a chip or smartphones using contactless provide a higher level of protection against fraud. The security is so much greater that card issuers established a fraud responsibility model. In general, if a merchant (library) supports EMV, fraud will be the responsibility of the card issuer. If a library does not support EMV, fraud will be the responsibility of the library.

Verifone MX915 and PaymentExpress iPP350 terminals support Swipe, Chip and PIN, Chip and Signature, and NFC (Touch and Go). The card issuer (i.e. Amex, Visa) determines which method is required for any given transaction.

EMVCO.Com represents a collaboration of American Express, Discover, JCB, MasterCard, UnionPay, and Visa, and it is supported by banks, processors and vendors like Verifone, PaymentExpress and EnvisionWare around the world.

The primary form of transaction is Chip and PIN something you have (the chip card) and something you know (the PIN). The US has been slow to adopt the Chip-style card as well as contactless payments like ApplePay. As a result, the card processors have determined when they will accept Chip and Signature and when Chip and PIN is required. It is likely

that at some point in the future all transactions will be Chip and PIN once all merchants and cardholders possess the cards and terminals.

NOTE: Each card issuer (MasterCard, Visa, etc.) determines whether a transaction is Chip and PIN, Chip and Signature, or Swipe. No other entity has control over this.

INTRODUCTION TO CREDIT CARD STANDARDS �18

Transport Layer Security (TLS)

Transport Layer Security is a cryptographic protocol that provides encryption between computers/applications over a network. TLS replaces SSL (Secure Sockets Layer). SSL is a specific term and one that is used more generically to mean encryption.

TLS 1.2 is the current standard as of PCI 3.2. Anyone operating SSL, whether eCommerce or otherwise, should consider updating their system to comply with the latest release of TLS. SSL has been deprecated by the Internet Engineering Task Force (IETF) and it is not permitted under PCI standards.

All eCommerce systems provided by EnvisionWare use TLS1.2. While every effort should be made to update servers hosting web pages, customers running older versions of IIS (Internet Information Server) as their web server platform should be certain to read the Knowledge Base article KB2272 for information about disabling SSL support so that only TLS1.2 will be used.

From a generic perspective, users may often refer to the purchase of an SSL certificate for a website, which delivers https:// instead of http:// and which is mandatory for financial applications. Regardless of what a certificate may be called or whether someone uses SSL in a more generic context to refer to encrypted communications, the valid protocol is TLS and specifically TLS1.2. (Like SSL, TLS will continue to evolve as hackers find more way to break into communication systems.

3-D Secure

3-D Secure is an additional security layer for online credit card transactions. Verified by Visa is using 3-D Secure. MasterCard uses MasterCard SecureCode. Other issuers have also adopted the protocol.

INTRODUCTION TO CREDIT CARD STANDARDS �19

Workflows

Your acquirer may ask about the transaction workflows. This section provides an overview of the workflow for web-based transactions and for terminal-based transactions. PCI considers that portion of a transaction that is IN SCOPE - the act of entering and processing actual credit card information. If you consider the terminal as related to the Staff Register application, Staff Register and all it’s modules are OUT OF SCOPE FOR PCI as you’ll see below.

• Web Workflow

OUT OF SCOPE PORTION

You will typically place a button or link on your website to Pay Fines. (Some ILS support single sign-on from the Catalog MyAccount page) The EnvisionWare eCommerce Server is used to query fines and determine the amount to pay. This server does not accept any form of cardholder information - its purpose is to give the patron a menu of items to pay and to post the results to the ILS after payment is received.

1. The patron will validate to eCommerce Server with library card number and PIN2. The eCommerce Server will query your ILS for fine information3. A page is presented to allow selection of fines to pay4. A menu with choices for payment method is displayed.5. The patron selects Credit Card as the payment method

IN SCOPE PORTION

5. The amount to pay is transmitted to a page that is HOSTED by the Verifone, Payment Express, SecurePay, Chase Paymentech, or Moneris system.

6. The hosted page accepts the patron’s entry of the card information. It then returns a success/fail and transaction ID.

ALL CARDHOLDER DATA IS ENTERED ON A SYSTEM HOSTED AND SECURED BY THE VERIFONE / PAYMENT EXPRESS OR OTHER SYSTEM (NO CARDHOLDER DATA IS

STORED OR PASSED THROUGH YOUR ILS OR THE ECOMMERCE SERVER PORTION OF THE TRANSACTION.

INTRODUCTION TO CREDIT CARD STANDARDS �20

• Terminal Payment Workflow

OUT OF SCOPE SCOPE PORTION

1. The application will send an amount to pay to the Terminal.2. The terminal will activate

IN SCOPE PORTION

3. The patron will insert or swipe his or her credit card or touch the terminal4. The information is encrypted inside the terminal and then transmitted over an encrypted link

(TLS 1.2) to the Verifone or Payment Express Gateway (two levels of encryption).5. Verifone or PaymentExpress processes the transaction and sends back a result code and ID.6. The result code and ID are sent from the terminal to the application.

NO CARDHOLDER DATA IS ENTERED OR PASSED THROUGH ANY OF THE

APPLICATIONS (CARDHOLDER DATA PASSES ONLY BETWEEN THE TERMINAL AND THE VERIFONE OR PAYMENTEXPRESS GATEWAY)

Merchant Levels

The provider level (1-4) is discussed with regard to what you and EnvisionWare must do to maintain proper PCI Compliance. In short, the fewer the transactions per year the less restrictive the PCI Compliance concerns. Most libraries fall within Level 4 or maybe Level 3. Amazon fits the Level 1 description. If you anticipate less than 20,000 TRANSACTIONS per year your library is Level 4.

INTRODUCTION TO CREDIT CARD STANDARDS �21

Certifications and Documentation

The following documents are available for download from the EnvisionWare Customer Center. The links will work only if the reader is logged into the Customer Center.

Verifone documents are provided in KB1930. PaymentExpress documents are available in KB2553.

Verifone AOCVerifone Point Certification for EnvisionWareVerifone Validated ProcessorsEMV OverviewAmazon Web Services AOCPayment Express AOCPaymentExpress Certification for EnvisionWarePaymentExpress Validated ProcessorsSSAE16 SOC2 (NDA required)Network Diagram - Web, Terminal and Staff Register Point of Sale SystemWorkflow Diagram - Hosted Web Payment

INTRODUCTION TO CREDIT CARD STANDARDS �22

Advanced Documentation

This following information provides extensive technical documentation for the systems discussed in this Overview.

Network DiagramsA complete system diagram presents the complete scope of eCommerce solutions

including Self Service and Staff implementations. In addition to fine payments the system supports credit card payment for printing, scanning, fax, copying and other services. This document is available by logging into the EnvisionWare Customer Center. Because network drawings are of a sensitive nature, it can be accessed only by licensed customers.

A document illustrating a hosted system for web payment is also available in the Customer Center.

Verifone VeriShield Total Protect White PaperThis is a Technical Assessment White Paper (103 pages) created by an independent

entity, Coalfire, a QSA P2PE Security Assessor. The White Paper describes the security model of the Verifone TERMINAL system, which is a P2PE validated solution. The architectural overview gives technical staff more extensive information to illustrate the robust nature of the system. Current information can be obtained via the PCI website or the Knowledge Base Article 1930. Login is not required to access the above link.

For Further Study

PCI Security Standards Council

PCI 3.2 Resource Guide

PCI ComplianceGuide

Card Acceptance Guidelines for Visa Merchants

Mastercard Site Data Protection (SDP) Program and PCI

INTRODUCTION TO CREDIT CARD STANDARDS �23

SAQ A vs. A-EP: What E-Commerce Merchants, Services Providers Need to Know

Understanding the SAQs for PCI DSS v3.0

Ten Common Myths of PCI DSS

Secure Payments: Multi-pronged ApproachEMV, Encryption, Tokenization and Secure Commerce Architecture

Approved PIN Transaction Security (PTS) Devices (Search for Verifone or PaymentExpress)

Validated Payment Applications (Search for Verifone or PaymentExpress)

INTRODUCTION TO CREDIT CARD STANDARDS �24