PCI compliance can be confusing - especially for software providers. Element’s Payment Card Industry Compliance FAQ is designed to arm software providers with the facts and help you get started on the road to simplified compliance.

Payment Card Industry Compliance FAQ forIndependent Software Vendors (ISVs)

Payment Card Industry Compliance FAQ for ISVs

© 2014 Element Payment ServicesAll Rights Reserved

Page 1

Does Your Application Transmit Cardholder Data?

In response to a growing number of data security breaches, the major payment card brands (Visa, MasterCard, Discover, etc.) came together in 2006 to form the PCI SSC. The PCI SSC developed a set of security requirements for all businesses that handle payment cards, including merchants and software developers of applications that handle payment card data. This set of requirements is known as the Payment Card Industry Data Security Standard (PCI DSS).

Software providers are responsible for ensuring their applications meet all PCI DSS requirements. Merchants are also required to ensure that their cardholder data environment adheres to these standards. The purpose of the PCI DSS is to ensure the security of cardholder data and to help prevent credit card fraud, hacking, and other security issues.

Unfortunately, answering yes to this question also means your software application is considered a payment application by the Payment Card Industry Security Standards Council (PCI SSC), and, therefore, is in scope of PCI compliance. PCI scope refers to the totality of an organization’s cardholder data environment.

Software providers who develop applications that process, transmit or store cardholder data and sell, distribute or license to third parties are considered payment applications and are required to comply with the Payment Card Industry Data Security Standard (PCI DSS).

What Is PCI DSS Compliance?

PCI DSS Requirements

Payment Card Industry Compliance FAQ for ISVs

© 2014 Element Payment ServicesAll Rights Reserved

Page 2

How do I become PCI compliant? The path to PCI compliance can be complex and confusing. To mitigate payment risk—and maintain PCI compliance—payment software applications must adopt and comply with a number of technical requirements that ensure cardholder data is securely processed, transmitted and/or stored. Building, maintaining, and annually certifying this technical infrastructure is costly, resource-intensive, and risky.

PCI compliance can be easily achieved by partnering with a level 1 PCI DSS compliant payments provider, such as Element. By shifting the responsibility of handling cardholder data to a secure third party, the software application is no longer considered a payment application and therefore; PCI compliance requirements no longer apply for the software provider.

Build and Maintain a Secure NetworkRequirement 1: Install and maintain a firewall configuration to protect cardholder dataRequirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder DataRequirement 3: Protect stored cardholder dataRequirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management ProgramRequirement 5: Use and regularly update anti-virus softwareRequirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control MeasuresRequirement 7: Restrict access to cardholder data by business need-to-knowRequirement 8: Assign a unique ID to each person with computer accessRequirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test NetworksRequirement 10: Track and monitor all access to network resources and cardholder dataRequirement 11: Regularly test security systems and processes

Maintain an Information Security PolicyRequirement 12: Maintain a policy that addresses information security

Payment Card Industry Compliance FAQ for ISVs

© 2014 Element Payment ServicesAll Rights Reserved

Page 3

How does Element assume the burden of PCI compliance?With a simple integration to the Element Express Processing Interface the complexity associated with PCI compliance is drastically simplified for software providers.

The Element Express Processing Interface lies at the heart of Element’s suite of payment processing solutions. It’s the interface that powers the highly secure, incredibly reliable, readily configurable and extremely scalable PCI compliant solutions leading software providers depend on. Element offers various Express integration options to suit your business and development needs.

With a simple integration to Element’s PCI compliant solutions, we make it easy to offer secure payments while protecting you and your customers from the cost, liability, risk and integration complexity associated with PCI compliant integrated payments.

Payment Card Industry Compliance FAQ for ISVs

© 2014 Element Payment ServicesAll Rights Reserved

Page 4

A Direct Integration to the Express Processing Interface, Secured with Point-to-Point Encryption (P2PE)

Ideal for card-present environments, a direct integration to the Express Processing Interface, secured by TransForm® P2PE removes software applications from the scope of PCI compliance.

P2PE ensures sensitive credit and debit card data is protected from first card swipe, while in transit, all the way to the payment processor. State of the art encrypting devices encrypt cardholder information prior to performing an electronic payment transaction so that merchants never have contact with unsecured information at all. With TransForm® P2PE technology cardholder data does not enter the software application.

Additional features for ISVs that choose this integration route include the ability to:• Drive payment transaction flows• Control which point-of-entry devices can be used within their software• Option to add the ability to split tender, integrate coupons, signature capture, etc.

TransForm® Hosted PaymentsIdeal for e-commerce or small card present environments, Hosted Payments is an integration method to the Element Express Processing Interface that removes the need for software applications to handle cardholder data.

The software application is responsible for collecting all of the non-sensitive data needed to perform a payment transaction; while Element’s Hosted Payments is responsible for collecting, storing, processing and transmitting all the sensitive cardholder data.

The responsibility of handling sensitive cardholder data is shifted over to Element’s Level 1 PCI DSS compliant Express Processing Interface. By shifting the responsibility of handling the cardholder data, Hosted Payments eliminates the need for software vendors to be PCI compliant.

Additional features for ISVs that choose a Hosted Payments integration include:• Software application PCI scope removal• Supports several P2PE devices• One integration will give access to multiple devices

Payment Card Industry Compliance FAQ for ISVs

© 2014 Element Payment ServicesAll Rights Reserved

Page 5

It is wise that any mobile payment solution should be sure to utilize a device that has P2PE. Data processed on an unsecured mobile card reading device can be compromised in several ways. Customer information may be intercepted by hackers as it is transmitted, or the device itself might be stolen; either event could provide a gold mine for criminals searching for credit card numbers.

How does Mobile fit into PCI compliance?

Mobile devices are gaining in popularity across all segments of society, so it’s no surprise that many merchants have begun using them to process payment cards. As a result, the PCI SSC has published guidelines intended to aid merchants in their efforts to conform to optimal payment card processing practices. The guidlines published by the PCI SSC cover the hardware and software components of a mobile solution.

ISVs can ease PCI compliance pain in the mobile space, with the TransForm® Mobile SDK. The TransForm® Mobile SDK eases the mobile payments integration process by handling the security and connectivity between a wide array of P2PE mobile devices, mobile applications and the Express Interface. A single integration supports multiple hardware devices, featuring TransForm® P2PE, all Express functionality, and signature capture.

Any mobile payment solution utilizing P2PE devices are able to effectively remove cardholder data from the mobile device which in turn removes the mobile software application from PCI compliance scope.

Payment Card Industry Compliance FAQ for ISVs

© 2014 Element Payment ServicesAll Rights Reserved

Page 6

• Prevent account data from being intercepted when entered into a mobile device.• Prevent account data from compromise while processed or stored within the

mobile device.• Prevent account data from interception upon transmission out of the mobile

device - Facilitate use of industry best practices to implement strong encryption for authentication and transmission.

• Prevent unauthorized physical device access.• Prevent unauthorized logical device access.• Protect the mobile device from malware.• Ensure the mobile device is in a secure state.• Disable unnecessary device functions.• Detect loss or theft by recording the serial number, model number, etc.• Ensure the secure disposal of old devices.• Implement secure solutions that meet the PCI SSC guidelines. • Ensure the secure use of the payment-acceptance solution.• Prefer online transactions - do not use the mobile payment solution to authorize

transactions offline.• Prevent unauthorized use. • Inspect system logs and reports.• Ensure that customers can validate the merchant/transaction.• Issue secure receipts with a truncated card number.

PCI SSC Mobile Payment Acceptance Security Guidelines

Version 1.0https://www.pcisecuritystandards.org/documents/Mobile_Payment_Security_Guidelines_Merchants_v1.pdf

Mobile payments are expected to increase from 398 million in 2013 to 5.4 billion in 2018*.

*Javelin Strategy and Research- http://www.atmmarketplace.com/blog/10449/Mobile-prepaid-cards-stand-out-in-payments-growth

© 2014 Element Payment ServicesAll Rights Reserved

Page 7

Payment Card Industry Compliance FAQ for ISVs

Headquartered in Chandler, Arizona, Element Payment Services, Inc., a Vantiv

company (NYSE: VNTV), is an industry leading software business that develops PCI

DSS compliant technology designed to secure the processing, transmitting, and storing

of payment card related data. Element’s technology is deployed through partnerships

with point of entry hardware vendors, systems dealers and independent software

providers. Engineered using Service-Oriented Architecture, Element’s Express

Processing Interface allows for easy integration and supports advanced technologies

including tokenization and point-to-point encryption (P2PE).

About Element

What if my software is not PCI compliant?All software providers must meet PCI requirements for their customers to comply with the PCI DSS. Failure to comply with the PCI DSS results in the potential that your customers won’t be able to process card transactions.

PCI DSS is not an option, but a requirement for anyone that handles payment card data. The solution is simple, remove the value and accessibility to cardholder data and eliminate the risk. The result – simplified PCI compliance and more satisfied customers.

* 2012 Payment Card Threat Report, Security Metrics**Ponemon Institute 2013 Cost of a Data Breach Study: Global Analysis

Credit card breaches cost businesses $5.7 million* per incident in expenses which include detection, notification, legal fees, loss of customers, and brand damages.

The average cost per compromised record, whether it was a stored credit card number or harvested by thieves while in transit is an average of $188**.