nets white paper, compliance related to viking/onepa ... · added omni-channel feature where a...

Nets White paper, Compliance related to Viking/OnePA terminals, V4 September 2018

Nets Group 2 - 16

Introduction Nets Nordic payment terminals, with Payment Applications named Viking or One PA, are in use in the whole Nordics.

Additionally, these terminals are also in use in other countries such as Germany and the Baltics using cross-border acquiring

with the Nordic acquirers. The Viking and One PA terminal compliance is kept up-to-date and Nets provides connectivity

with all Nordic acquirers.

This white paper gives an insight into the compliance requirements and governance for payment terminals in the Nordics

using the Viking or OnePA Payment Application. The intent is to give merchants using Viking and One PA terminals

compliance insight into issues handled by Nets on behalf of the merchant.

In addition to the compliance issues handled by Nets, merchants need to address PCI DSS compliance as these requirements

are not limited to the payment terminal only. However, since the Nets host environment is PCI DSS compliant and our

Viking and One PA terminals are PA-DSS and PNC E2EE approved, this compliance task has been made as smooth as

possible for the merchant.

In addition to giving information on the terminal compliance, this document also gives background information why terminal

software needs to be updated to maintain the compliance.

The white paper contains three parts:

1. The first part is about PCI requirements where the focus is on protecting card data and PIN codes. The list of

abbreviations below give overview over the topics addressed.

2. The second part is addressing card scheme requirements set by Visa, MasterCard and the others. The focus is on

how we address functional requirements related to how the cards are to be processed.

3. The third part gives input on new requirements that merchants must address to protect card data and PIN codes.

4. The last part give information about new EU regulations that affect terminals.

List of abbreviations • PCI – Payment Card Industry

See: www.pcisecuritystandards.org/organization_info/index.php

• PCI DSS - PCI Data Security Standard (Card data security)

• PCI PIN – PCI PIN Security Requirements (Logical security)

• PCI PTS – PCI PIN Transaction Security (Hardware security)

• PA-DSS – Payment application Data Security Standard

• QSA - Qualified Security Assessors

• SAQ – Self Assessment Questionnaire

• PNC – Pan-Nordic Card association

See: http://pan-nordic.org/PanNordicCard/Home/Who-we-are.aspx

• PNC E2EE – PNC End-to-End Encryption

• 3DES – Triple DES Encryption

• X9.24 2009 – Retail Financial Services Symmetric Key Management Standard CVM – Cardholder Verification

Method

Part 1 – PCI requirements

PCI DSS

PCI DSS are technical and operational requirements set to protect cardholder data.

Nets do an annual certification of our secure handling of card data in the Nets host environments. The auditing is performed

by an external QSA auditor. All Viking and One PA terminals are connected to the same host in Nets Norway.

Up-to-date PCI DSS status of all agents are maintained and listed by Visa and MasterCard. You can find Nets Branch

Norway listed as PCI-compliant service provider at both: • www.visaeurope.com/receiving-payments/security/downloads-and-resources

• www.mastercard.us/en-us/merchants/safety-security/security-recommendations/merchants-need-to-know.html


Nets Group 3 - 16

Visa has two lists on their URL above - Merchant and Member (client) list. Nets Branch Norway is listed on both as we do

services both for our merchants and for the acquirers. The listing show:

The date in the table above tells when our last annual audit last was approved.

The second column in the table above gives information about the scope of the annual audit. This is from our AOC

(Attestation of Compliance). Larger merchants that are required to do their own external audit with QSA might need a copy

of our AOC. The info of most interest is Part 2a which is included below. It tells that terminal processing (POS) and

Netaxept (ecommerce) was in scope of the audit. No part was taken out of the scope and all central processing with card data

was in the scope.

PCI PIN

PCI PIN is security requirements for online PINs and encryption keys.

Nets do an annual review of the secure handling of online PIN and report the result to Visa Europe.

The requirements of this compliance are documented here:

www.pcisecuritystandards.org/documents/PCI_PIN_Security_Requirements_v2.pdf

PCI PTS

PCI PTS is security requirements for terminal manufacturers focusing on hardware security – especially focusing on

protection of cardholder’s PINs.

Most new terminals delivered by Nets are currently PCI PTS 3.x, 4.x or 5.x approved. Based upon PCI PTS version, these

terminals can be installed for new installation and have an expected sunset date per the following table:

PCI PTS version New installations approved until Expected sunset date

3.x End of April 2020 End of 2023



Terminal models from Nets are in addition approved and registered to be compliant for the Nordic acquirers by the PAN

Nordic Card association:


Nets Group 4 - 16

List 6: Terminals, encrypting PIN pads and encrypting card readers that have been validated to fulfil the Security Design

requirements (Security Design)

Nets terminals are also approved by the domestic card schemes BankAxept in Norway and Dankort in Denmark.

PA-DSS

PA-DSS is a standard for software vendors that develop payment applications. The standard aims to prevent developed

payment applications for third parties from storing prohibited secure data, such as card numbers.

Nets delivers currently PA-DSS version 3.0 approved software. This is approved for new installation until end of October

2019.

The PCI SSC council have announced that PA-DSS and PCI DSS are mature standard and they have stopped launching new major releases

every third year. The latest version 3.2 are instead valid for three additional years and we will ensure that we have coming release approved

according to that version during next year.

All the software approvals are available by searching for Nets behind the following link: www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php?agree=true

All Viking software from version 3.2 to 6.2 are currently approved. All One PA version from version 1.3 to 3.1 are currently

approved. The older software versions that are not in active use anymore are shown under ”Acceptable only for Pre-Existing

Deployments” on the same page.

The PA-DSS approval of the payment terminal enables our merchants to be PCI DSS compliant. The PA-DSS

Implementation guide available from Nets informs what to do to as a merchant to enable for PCI DSS compliance.

The guide includes a list with overview over versions and major PA-DSS changes. Below as an example of the list with

current changes:

SW version PA-DSS Approval

Reference

PA-DSS impact from

previous SW version PA-DSS High-Impact changes

Viking 3.2 12-08.00424.003 Full validation

Viking 3.3 12-08.00424.003.aaa No-Impact

Viking 3.4 12-08.00424.005 Full Validation

Viking 3.6 12-08.00424.006 Full Validation

Viking 3.7 12-08.00424.006.aaa High-Impact Added unattended terminal model iUP250 with reader IUR250.

Viking 3.8 12-08.00424.006.baa High-Impact Adding of contactless reader iUC150 to the unattended terminal.

Adding the possibility of non-PIN transactions for unattended

terminals. It is intended for amounts below 50€ in parking

environments.

Viking 3.9 12-08.00424.006.caa Low-Impact

Viking 4.0 12-08.00424.006.daa High-Impact Added support to send non-branded card info to ECR using whitelist

to identify the cards.

Viking 4.1 12-08.00424.006.eaa High-Impact Adding of new terminal models: iUC180B, iWL255G and iCMP.

Viking 4.2 12-08.00424.006.faa High-impact Adding of new terminal model iSMP companion (iMP3 companion)

Viking 4.3 12-08.00424.006.gaa High-impact Choosing BAX in a multi-terminal configuration based on truncated

PAN received from card.

Viking 4.4.x 15-08.00424.007 Full validation Compliance with PA-DSS v3.0

Viking 4.5.x 15-08.00424.007.aaa No-Impact

Viking 4.6.x 15-08.00424.007.caa No-Impact

Viking 4.7.x 15-08.00424.007.eaa Low-Impact Addition of new terminal contactless component IUC150B.

Choosing BAX from pay@table in a multiterminal configuration

based on truncated PAN received from card.

Viking 4.8.x 15-08.00424.007.faa Low-impact Updates to underlying Ingenico SDK and libraries, PINS loyalty

support, SAS Euro bonus card support, support for DCC with

pay@table, support for BankAxept contactless cards, MIF support

with all cards, support for "forced offline" mode, new surcharge

options, business logic/rules updates, bug fixes.


Nets Group 5 - 16

Viking 4.9.x 15-08.00424.007.gaa Low impact Added support for new DCC service provider FEXCO, Added

support for JCB contactless kernel to accept JCB contactless and

mobile Dankort wallet transactions , PIN bypass ECR confirmation,

protecting purchase menu with merchant card in P@T configuration,

protecting ISMP terminal F1 with merchant card, activating barcode

scanner of ISMP through ECR, ISMP card event none PCI card,

changing GPRS setting in profiles, addition of tax regulation

statement “IKKE KVITTERING FOR KJØP” on customer receipts

for Norwegian standalone products, adding static text for DA

framework, support for Finish loyalty card PINS, bug fixes.

Viking 5.0.x 15-08.00424.007.haa No impact Added support to enter PIN before amount is known for chip based

transactions. Updates to underlying Ingenico SDK and libraries. Added optional 40 characters’ width receipt format for ECRs.

Updated terminal info screen with SW version on F2 key press for

attended terminals. Increased card awaiting screen timer from 2 minutes to 10 minutes.

Increased software block size in value chain from 256 bytes to 1KB

to improve software upgrade timings. Added Omni-channel feature where a unique ID is must to be sent

along purchase request from ECR to track it in backend.

Viking 6.1.x ?? Full validation Added new EMV Kernels

Updates to underlying Ingenico SDK and libraries

Added support for contactless transactions using SingleTap

contactless feature with loyalty, DCC, pre-auth and purchase.

Added new Value-adding features that do not impact the card

handling in the terminal, but enabling BLE and QR support for

Mobile Dankort, and BLE for Swish and Pivo.

One PA 3.0.x Full validation Support for new hardware family: Ingenico Telium Tetra / Gnu

Linux

The most recent PA-DSS approval is shown below. It includes overview of the PCI PTS

approved terminal types that it is approved for.


Nets Group 6 - 16

PCI PTS 1.x Terminals

The latest PA-DSS approval for our legacy terminals is shown below:


Nets Group 7 - 16

Our PCI PTS 2.x approved legacy terminals can be in use until end of 2020. For further info see:

www.teller.com/service-support/secure-payments/pci-standard/Non-compliant-terminals/

Memberships

Nets are a PCI Security Standards Council Participating Organization (PO). We are also technical associate at

www.EMVco.org. The acquirer role ensures in addition that we are up to date with card scheme requirements. All these

bring value into our solutions and ensure that we are up-to-date with coming requirements.

Part 2 – Card scheme requirements

PNC E2EE

Our PA-DSS approved software is additionally PAN Nordic E2EE approved, to further ease compliance for our merchants.

The PNC E2EE compliance verifies that the terminals cannot expose card data and that card data sent to the Nets host is

encrypted in such a way that decryption is not feasible.

The E2EE validation process is described here: www.pan-nordic.org/PanNordicCard/PCI-and-

Security/Validation.aspx

Additionally, integrators must fill in a self-assessment form. The following link gives advice on how to ensure this: www.nets.eu/se-sv/partners/Pages/Systemleverant%C3%B6rer.aspx

The page also contains a list of the current partners that have completed the self-assessment. This declaration is confirming

that the ECR provider is not handling any sensitive card data in their system when used with a Viking or One PA terminal.

Additionally, the E2EE approval self-contains verification of all the other compliance items described earlier in this

document. An E2EE approved terminal is thus PCI PTS approved and is running towards a PCI DSS and PCI PIN approved

host.

The PNC E2EE certification process is supported by the Nordic acquirers and is regarded as “isolating terminals”. With the

E2EE approval the Nordic acquirers regard that SAQ D questionnaire is not needed, even when the terminal is used in the

merchant’s network.

The Nordic acquirers normally expect SAQ-B or similar to be answered, when the terminal is E2EE approved. The SAQ-B

is much shorter compared to SAQ-D. For large customers who need to use external QSA, it is up to the QSA to consider

which SAQ to answer.

For info about SAQ, see: www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf

www.pcisecuritystandards.org/documents/PCI-DSS-v3_2-SAQ-C.pdf

Unattended payment Terminals

PNC expect that complete unattended machines are verified and approved. The following link gives information about this

process: http://pan-nordic.org/PanNordicCard/PCI-and-Security/Validation.aspx

The last validation step in this process called “3 Use a secure exterior shield” under “Unattended payment Terminals (UPT)”

must be completed.

BankAxept has specific requirements for PIN shield on UPT terminals in case of using the device in Norway.

Contactless

Both Visa and MasterCard have mandated for contactless support for new merchants by end of 2015. This date is only for:

• New merchants

• Upgrade of terminals

The following is not in scope of this date:

• Replacement of a faulty terminal

• Change of acquirer

• Existing merchant opening a new store Change of the store owner


Nets Group 8 - 16

All deployed terminals are to be contactless by end of 2019. We are happy to inform that all Nets PCI PTS 3.x devices

are deployed with a contactless reader. This enables these devices to be in use until end of 2023 which is the expected

sunset date.

Please note the need for special attention on our unattended terminal iUP250 where upgrade with iUC150B contactless

reader is mandated by end of 2019. Additionally, note that contactless support is already mandated for NoCVM solutions

and that Nets non-PIN iUC180B terminal is in line with this requirement.

The domestic schemes, BankAxept and Dankort, are in process with contactless support and both are supported by the

Viking application. We regard that this will significantly increase the interest for contactless support in these markets.

https://www.nets.eu/no/payments/butikkbetaling/tilleggstjenester/kontaktlos-betaling/

The One PA application does not currently support Dankort. BankAxept is currently supported on Ingenico terminals only.

The 2018 November release will introduce Dankort for the Ingenico terminals; BankAxept and Dankort support for Spire

terminals will be added during 2019.

The terminals need separate contactless kernels for each scheme they support. We are in process of considering support for

Expresspay (American Express), Quick pay (Union Pay), J/Speedy (JCB). Viking also support Dankort Mobile with NFC.

BLE (Bluetooth low energy) and QR codes are ready for pilot in Denmark. The next release will include support for similar

solutions in other countries

Transaction Processors

The Viking and One PA applications are approved by the card transaction processors. They execute approvals on behalf of

the acquirers. These approvals include certification of chip and contactless transactions where each card brand have their

own certification processes.

Contact transactions are handled by the EMV Level2 kernel. We update the kernel bi-annually. Viking and One PA are

currently using kernel “EMVDC 4.72” from Ingenico which is valid until 26 October 2018. On Spire terminals, One PA is

using the “1.0.3z” kernel. The kernels and their expiry dates are listed here: www.emvco.com/approvals.aspx?id=85#I

The Viking and One PA terminal contains separate contactless kernels for each card brand. Both applications on Ingenico

hardware are currently using Visa payWave 2.1.3, MasterCard PayPass 3.0.2 and Interac 1.5 kernels. On Spire, One PA is

using Visa payWave 2.1.3, MasterCard PayPass 3.0.3 and Interac 1.2 kernels. The Interac kernel is for use by BankAxept

contactless. There is no regular update schedule for contactless kernels.

The Viking application is approved by the following transaction processors: Very Sweden, Nets and Seedbank Card

Services. The One PA application is approved by the Nets transaction processor only. A special configuration is approved

for Finnish acquirers as they do not support online PIN – and only support PIN for chip card transactions.

We have currently completed approvals of the following configurations:

• Attended terminals that supports contactless:

o Lane/5000 (One PA only), Lane/3000 (One PA only), iPP350 (Viking only), iCT250, iWL25x, iCMP

(Viking only) and iSMP (Viking only)

• Attended terminals without support for contactless (Viking only):

o iCT220 and iWL220

• Bank branch terminals used for cash deposit and can be regarded as attended ATM (Viking only):

o iPP350, iCT250, iWL25x, iCT220 and iWL220 Unattended terminals without PIN-pad (Viking only):

o iUC180b+iUR250

• Unattended terminals with PIN-pad (Viking only):

o iUP250+iUR250+iUC150b

Includes option for running without PIN on low amounts

Dankort expect the ECR vendors to get their integration with the terminal tested and approved. The following link gives

further information on Dankort approvals: www.nets.eu/dk-

da/kundeservice/Verifikation%20af%20betalingsløsninger/godkendte%20løsninger


Nets Group 9 - 16

Part 3 – New requirements

Network, Terminal management and Software updates

The Nets host is available either via internet using secure access or via a closed network. With closed network the network

provider has a direct connection to our host environment offered from their network provider.

The terminals are managed through Nets terminal management services. The terminal management service defines for

example the region the terminal belongs to and the acquirer in use.

Terminal management is also responsible for upgrading terminal software remotely over the network. Nets ensure that the

software uploaded to the terminal has completed the required certifications.

Visa has mandated that offline approval will only be allowed for contactless transactions from 18. October 2015. This

implies a significant change especially for the Finnish and Swedish markets – where most the transactions are with the Visa

brand. Waivers allow for offline on domestic cards in Finland and Sweden for an interim period.

This requirement underlines the importance of good communication lines with uptime guarantees for the merchant.

For BankAxept we have offline support with additional controls as signature. For Dankort we have “forced offline”. This is

extended in R2-2016 to also be support the other brands. It is made available on the terminals on merchant request. The diagram below give overview of alternative integrations as input to network diagram that Merchants are expected to

make as part of PCI DSS review:

Updates from the Merchant PCI DSS Compliance requirements

This section gives updates of merchant’s responsibilities in receiving a PCI DSS certification.

PCI DSS 3.0, that became effective in the beginning of 2014, includes a new requirement 9.9 that is mandatory from July

2015 onwards. This requirement focuses on the following:

• Maintain list over devices

• Periodical inspections

• Training to detect attempt on tampering or replacement


Nets Group 10 - 16

We regard that the handshake mechanism that we have implemented for our integrated terminals give a good basis for

fulfilling this new requirement 9.9. This is documented as part of the BAXI programmer’s guide as separate document

named: Best practice implementation of security in the ECR interface.pdf

Periodical inspection

The ultimate responsibility for the protection of cardholder data, within a merchant’s equipment, lies with the merchant.

- The merchant must not leave the retail terminals unattended to avoid suspicious activities.

- Updated documentations and Implementation Guides can be found Shop.nets.eu

We advise merchants to focus on proper implementation of the new core PCI DSS 9.9 requirement coming into effect from

June 30, 2015.

The intention is to ensure that merchants are better prepared for skimming attacks. We have lately experienced an attempt on

an attack where a skinning device was attached to the chip card reader.

For more info see here: https://www.nets.eu/no/payments/sikre-betalinger/terminal-skimming/

PCI Small Merchant Guide to safe payment includes the following guideline:

Please note that a legitimate terminal may be swapped with a ghost terminal. Such a fake ghost terminal does not process any

transaction and the sole purpose of a fake terminal is to collect card data and related PINs.

Our hardware supplier Ingenico includes the following advice in their user guide document

delivered with the terminals:

iPP350 terminal:

http://shop.nets.eu/


Nets Group 11 - 16

I5100 terminal:

The iPP350 terminal offers the option to attach the cable to the terminal by two screws. This protect against rapid swap.

Nets are aware of the availability for terminal stands that include Kensington locks to prevent theft or swap. We

regard this as an added security that merchants could decide to make use of to reduce their risk. Be aware that the 9.9

requirements still need to be met even when using Kensington locks. The UK Cards Association writes:


Nets Group 12 - 16

Criminals will seek to test security controls in place to defend against attack. It is therefore of value for each merchant to

implement the details of their own controls as it makes it more feasible to keep them confidential.

The UK Cards Association has given the following advice:

Source: http://www.theukcardsassociation.org.uk/Terminals/terminal-security.asp

They also give the following advice:

Part 4 – EU regulations https://www.nets.eu/no/payments/regler-og-vilkar/fritt-applikasjonsvalg/

Introduction – MIF/IFR

A new EU regulation gives merchants the right to define which part of a combined payment card that is to be prioritized

when customers pay by card. Currently, payment terminals are automatically prioritizing the domestic card schemes;

Dankort in Denmark and BankAxept in Norway.


Nets Group 13 - 16

The EU regulation gives the cardholder the final decision authority, which implies that the cardholder can override the

merchant’s card priority settings.

The EU regulation came into effect 9 June 2016 in Denmark. It comes into effect 1 November 2016 in Norway.

The Viking application support payment card prioritization from R2-2016 (4.8.x). The One PA application supports payment

card prioritization from version 2.3.0.

For more information, please see:

• www.nets.eu/terminaltjek

• www.dankort.dk/Pages/Dankort-eller-Visa.aspx

• Search for ”article 8” in: www.eur-lex.europa.eu/legalcontent/DA/TXT/PDF/?uri=CELEX:32015R0751&rid=1

• www.regjeringen.no/no/aktuelt/forskrift-om-formidlingsgebyr-i-kortordninger/id2506302/

The solution – MIF/IFR

Below is a description on how we will enable the card holder to select application on Viking terminals. The basic principle

of the solution is that the cardholder indicates that he wants to perform application selection before the card is presented.

This is done by pressing the yellow CLEAR button on the terminal.

Note that the application lies within the chip of the payment card. The solution is made for cobranded BankAxept and

Dankort cards.

• The priority can be changed by a local parameter in the terminal:

o Parameter name: IFR priority = <domestic>, <international>, <none>.

This parameter will be visible for Norwegian and Danish terminal configurations. o The existing

priority <domestic> will be default.

• The priority can also be set from the ECR for integrated terminals. This enables the merchant to priorities based on

input from the cardholder.

• The card holder can overrule the automatic selection:

o The application’s preferred card scheme will be displayed during PIN entry to ensure that the card holder

can see which application that has been selected.

The first line of the PIN entry screen will be used for this purpose.

o The cardholder can disable the automatic selection by pushing the yellow CLEAR button when the card

is requested. Standard application selection is then displayed, enabling the card holder to select

the desired application.


Nets Group 14 - 16

The names are fetched from the card:

• The name displayed below “BankAxept” in the sample above is the international card scheme. The card issuer

decides the text.

• The selection will only be available on newer VisaDankort cards, which also support contactless. The name on the

receipt for the old cards will still be “VisaDankort” and these will be processed as before.

• The functionality will be available for all terminals except the unattended module iUC180B. This module does not

support PIN entry or application selection.

A transaction must be aborted and initiated again if the card holder sees that the application at PIN entry is not in line with

what he wants. This is expected to be a seldom issue.

Note that the terminal does not display any guidance text informing about the yellow CLEAR button’s functionality. Nets

does not see any user-friendly way of doing that, and most card holders are not expected to make use of it. The merchants

should ensure that their employees are informed about the yellow CLEAR-button’s functionality and can guide cardholders.

It is also assumed that the cardholders that want to perform the selection will rapidly learn how to enable it.

Support for BankAxept contactless is included in this software of the terminal, and Dankort contactless is supported from

before. The yellow CLEAR-button will not have effect for contactless transactions. Cardholder should be advised to use the

contact chip in case he wants to select application.

Surcharge

PSD2 comes into effect January 2018 (some months later in Norway). The following text give overview about which cards

surcharge can be allowed for:

Commercial cards issued within or outside of EU/EØS and private cards issued outside EU/EØS will be charged a

fee which you can see on your receipt. The fee rate varies depending on the type of card and the country of origin.

All transactions on American Express cards are surcharged.

The Viking application support from before the previous Danish surcharge rules and the PSP will be adapted to support the

new regulations. The One PA application will support surcharge during 2019.

ECR related requirement

Sweden have requirement that stand-alone terminals are to include a text on the paper to indicate that it is not receipt for the

purchase. A similar regulation for Norway came into effect January 2017 and “IKKE KVITTERING FOR KJØP” is to be

printed by the terminal on the receipt.


Nets Group 15 - 16

Part 5 – Guidance to merchants/integrators/ resellers

Safety Instructions:

Upon receipt of your terminal As a Merchant/Integrator/Reseller you must check for signs of tampering of the

equipment. It is strongly advised that these checks are performed regularly after receipt. You should check, for

example: that the keypad is firmly in place; that there is no evidence of unusual wires that have been connected to any

ports on your terminal or associated equipment, the chip card reader, or any other part of your terminal. Such checks

would provide warning of any unauthorised modifications to your terminal, and other suspicious behaviour of

individuals that have access to your terminal.

Your terminal detects any ‘tampered state’. In this state the terminal will repeatedly flash the message ‘Alert

Irruption!’ and further use of the terminal will not be possible. If you observe the Alert Irruption!’ message, you

should contact the terminal helpdesk immediately. You are strongly advised to ensure that privileged access to your

terminal is only granted to staff that have been independently verified as being trustworthy.

CAUTION: Never ask the customer to divulge their PIN Code. Customers should be advised to ensure that they are

not being overlooked when entering their PIN Code.

Service Requirements:

In the event of equipment malfunction, unplug the power supply. It is the responsibility of Merchant requiring service

to report the need for service to the authorised Service Agent which is Nets repair department in this case.

Maintenance:

Cleaning the Case

DO NOT allow any water to enter inside the case. Remove any dust from the case using a damp cloth. To clean off

accumulated dirt and grime, use a damp cloth that has previously been dipped in mild soap and water. Wring out

thoroughly to remove excess water before use.

DO NOT use solvents, cleaning fluids or abrasives. These materials could damage the plastic housing and any exposed

contacts.

Software updates:

NETS terminals are frequently updated with latest software patches through terminal management system, to push

important security related fixes.

NETS sales support communicates about the upcoming software upgrades already in advance.

Certifications:

Nets software releases are certified by all supported card schemes which is performed by licensed third party auditors.

Also, all software patches/releases complies to PADSS guidelines.


Nets Group 16 - 16

Part 6 – ECR – Viking interface protocol

The ECR-Viking interface protocol is known as DFS13 developed by Nets.

The protocol is half-duplex, where all protocol transfer messages enveloped by transmission control characters

DLE STX and DLE ETX. The message integrity is verified with a transversal check sum (parity bit) and a

longitudinal check sum (LRC character).

The DFS 13 protocol can be implement over following physical interface:

• RS232

• USB

• Ethernet

• Bluetooth SPP (Serial Port Profile)

There are several ways to handle “half-open” connections and this protocol has decided to solve it by the client

sending “keep alive messages”. These keep alive messages will contain only the 2 bytes header where the values are

set to zero indication no payload data/application message. For our ECR-ITU system where the ECR will be the server

and the ITU the client, the client will start sending “keep alive messages” every three seconds when the socket is idle

and where the server must echo the received “keep alive messages” back to the client.

On color screen terminals i.e. IPP350 a symbol “ECR” will be displayed with different colors describing the different

states of the TCP/IP socket:

• Green – Connected

• Red – Connecting

• White – No physical connection i.e. Ethernet cable disconnected

For more details, contact NETS sales support to get access to DFS chapter 13 ECR integration protocol document.

nets white paper, compliance related to viking/onepa ... · added omni-channel feature where a...

Documents