transform hosted paymentshosted payments in response to a growing number of data security breaches,...

TransForm® Hosted Payments

A Fully Integrated, Out-of-Scope, e-Commerce Solution for Software Providers

TransForm® Hosted Payments is Element’s e-commerce solution, which can remove software applications from the scope of PCI compliance by eliminating the need to store, process, or transmit cardholder data. Hosted Payments is an industry leading Qualified Security Assessor-validated solution that can be used to remove software applications from PCI compliance scope.

Version 2.0 - May 2014

© 2014 Element Payment ServicesAll Rights Reserved

Hosted Payments

In response to a growing number of data security breaches, the major payment card brands (Visa, MasterCard, Discover, etc.) came together in 2006 to form the Payment Card Industry Security Standards Council (PCI SSC). The PCI SSC developed a set of security requirements for all businesses that handle payment cards, including merchants and software developers of applications that handle payment card data. This set of requirements is known as the Payment Card Industry Data Security Standard (PCI DSS).

Software providers who develop applications that process, transmit or store cardholder data and sell, distribute or license to third parties are considered payment applications and are required to comply with the PCI DSS.

Software providers can remove their applications from the scope of PCI compliance by shifting this responsibility to a third party PCI DSS compliant payment processor. (PCI DSS scope refers to the totality of an organization’s cardholder data environment.) By shifting this responsibility, the software application is no longer considered a payment application and therefore; PCI compliance requirements no longer apply.

Page 1

Software providers who develop applications that process, transmit or store cardholder data and sell, distribute or license to third parties are considered payment applications and are required to comply with the PCI DSS.


Build and Maintain a Secure NetworkRequirement 1: Install and maintain a firewall configuration to protect cardholder dataRequirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder DataRequirement 3: Protect stored cardholder dataRequirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management ProgramRequirement 5: Use and regularly update anti-virus softwareRequirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control MeasuresRequirement 7: Restrict access to cardholder data by business need-to-knowRequirement 8: Assign a unique ID to each person with computer accessRequirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test NetworksRequirement 10: Track and monitor all access to network resources and cardholder dataRequirement 11: Regularly test security systems and processes

Maintain an Information Security PolicyRequirement 12: Maintain a policy that addresses information security

PCI DSS Requirements


Software providers are responsible for ensuring their applications meet all PCI DSS requirements. Merchants are also required to ensure that their cardholder data environment adheres to these standards.

A merchant’s cardholder data environment is made up of all the components used to process, store, and/or transmit cardholder data.

Recognizing the complexities in achieving and maintaining PCI compliance, Element launched its Hosted Payments solution in 2008. Hosted Payments is an integration method to the Element Express Processing Interface that removes the need for software applications to handle cardholder data when authorizing and settling payment transactions while preserving the benefits associated with integrated payments. The responsibility of handling sensitive cardholder data is shifted over to Element’s Level 1 PCI DSS compliant Express Processing Interface. By shifting the responsibility of handling the cardholder data, Hosted Payments eliminates the need for software vendors to be PCI compliant.

The software application is responsible for collecting all of the non-sensitive data needed to perform a payment transaction; while Element’s Hosted Payments is responsible for collecting, storing, processing and transmitting all the sensitive cardholder data.

Merchant customers can enjoy all of the benefits inherent to fully integrated payment solutions without the risks associated with handling cardholder data. With Hosted Payments, merchants are bypassing their management software for payment processing which is instead handled directly by Element’s Level 1 PCI DSS Express Interface.

If software applications do not store, process, or transmit cardholder data, by definition they are not in scope for PCI compliance.

Page 3© 2014 Element Payment ServicesAll Rights Reserved

The Simple Solution

By shifting the responsibility of handling the cardholder data, Hosted Payments eliminates the need for software vendors to be PCI compliant.


1

2

Software application collects all of the non-sensitive data related to the transaction.• Billing Information• Shipping Information• Transaction Total• Sales Tax

Software application displays Hosted Payments screen for collection of cardholder data.

Hosted Payments URL Payment Entry Screen.

How Does Hosted Payments Work?

4 Element’s Hosted Payment Window collects, stores (if applicable), processes, and transmits all the sensitive cardholder data to the Express Interface; and displays the result of the transaction.

Hosted Payments Transaction Result Screen.


3 Transaction is processed by the Element Express Processing Interface.

It’s simple. Remove the value and accessibility to cardholder data and eliminate the risk.


Hosted Payments for Distributed Applications

The Path to PA-DSS

Software providers with distributed applications, are required to comply with the Payment Application Data Security Standard (PA-DSS). PA-DSS is a subset of the PCI DSS and applies to software providers who develop distributed applications that process, transmit, or store cardholder data and sell, distribute or license their software to third parties.

To achieve PA-DSS certification, software providers must successfully pass a PA-DSS review performed by a certified independent assessor known as a Payment Application Qualified Security Assessor (PA-QSA). It is the responsibility of the software provider to hire and pay for a PA QSA to perform their review. These costs can range from thousands to tens of thousands of dollars. To combat the complexity of PA-DSS, Hosted Payments is a simple and secure payment solution for distributed applications.

Software providers are responsible for ensuring their applications meet all PA-DSS requirements as defined by the PCI SSC.

PA-DSS Requirements1. Do not retain full magnetic stripe, card

validation code or value, or PIN block data2. Provide secure password features3. Protect stored cardholder data4. Log application activity5. Develop secure applications6. Protect wireless transmissions7. Test applications to address vulnerabilities8. Facilitate secure network implementation9. Do not store cardholder data on a server

connected to the Internet10. Facilitate secure remote software updates11. Facilitate secure remote access to applications12. Encrypt sensitive traffic over public networks13. Encrypt all non-console administrative access14. Maintain instructional documentation and

training programs for customers, resellers and integrators

How Does Hosted Payments Work in a Distributed Environment? Just as it works in a SaaS environment, the distributed application is responsible for collecting all of the non-sensitive data needed to perform a payment transaction, while Element’s Hosted Payments page is embedded into the software application to collect the payment card data. Rather than a URL redirect, the POS software application displays a window/form containing an embedded browser control to navigate to Element’s Hosted Payments page.

Point-of-Entry Devices featuring Element’s Point-to-Point Encryption (P2PE)Although Hosted Payments is ideal for a card-not-present, e-commerce environment, there are times when a Hosted Payments integration is used in a card-present setting. For this purpose, several point of entry devices featuring Element’s P2PE are supported with a Hosted Payments integration. P2PE ensures cardholder data is encrypted immediately at the point of entry and is protected while in transit to the processor. With P2PE, merchants are able to significantly reduce...• The scope of the PCI

compliance assessment.• The cost of the PCI

compliance assessment.• The cost and difficulty of implementing

and maintaining PCI controls.• Risk to the organization.

Additional Features

The supported devices encrypt cardholder information prior to performing an electronic payment transaction, so that merchants never have contact with unsecured information at all.

SecureKey M130• Encrypts sensitive

magstripe and manually key-entered card data.

Ingenico Driverless PIN Pad (DPP)• Encrypts sensitive

magstripe and manually key-entered card data.

• Supports PIN debit

Magstripe Reader • A simple magstripe

card reader that encrypts cardholder data immediately upon card swipe.

All supported devices are uni-directional, keyboard-emulated (driverless) solutions which make installation pain & hassle-free. Merchants simply plug the device into a USB port on their point-of-sale system and use with Hosted Payments.


Supported P2PE Devices

TransForm® Tokenization Software applications that have a Hosted Payments integration can also support TransForm® Tokenization. The PCI DSS has strict requirements concerning the storage of sensitive cardholder information within software applications. Software providers can protect customers by implementing a secure offsite data storage solution that utilizes tokenization technology. TransForm® Tokenization technology works by moving the actual cardholder data offsite to Element’s PCI DSS compliant storage facility. Element’s servers create and then return a unique reference pointer (or token) to the software application. Merchants utilizing a tokenization solution drastically reduce their PCI scope by eliminating the storage of cardholder data.

Merchant BenefitsThe PCI DSS requires merchants to protect cardholder data. Merchants utilizing a Hosted Payments solution transfer the risk of handling cardholder data to Element. Key benefits for merchants include, completely removing cardholder data from their POS system, greatly reducing their business risk, liability and expense of card payment acceptance.

With Element’s fully integrated, out-of-scope, e-commerce solution, software providers and merchants retain access to and control all of the mission-critical data necessary for their software applications to process payments and manage their businesses.

With Element’s Hosted Payments, merchants reduce their compliance costs and remove risk from their business by no longer having to handle, process or transmit cardholder data through their software application. Software providers using Hosted Payments are able to offer their customers more secure, fully integrated PCI DSS compliant payment processing.


You’ve worked hard to earn customers, ease their PCI pain with the TransForm® Solution Suite.

Conclusion

Page 9

Hosted Payments is one of the only QSA (Qualified Security Assessor)-validated solutions for the removal of software applications from the scope of PCI compliance. Achieving PCI compliance is time consuming and expensive. TransForm® Hosted Payments greatly reduces the burden of lost time and excessive expense, giving software providers and merchants peace of mind. The solution is:

• Flexible. Hosted Payments takes the software application out of PCI scope in both SaaS and distributed software application environments.

• Secure. All cardholder data is removed from software applications and merchant systems, drastically reducing business risk, liability, and expense.

• Business-Friendly. With Hosted Payments, PCI compliance scope is dramatically reduced through risk transference for merchants. When you release your payment security concerns to a PCI compliant third party, you’re free to do what you do best.

• Holistic. By employing TransForm® P2PE and

Tokenization technology, Hosted Payments protects cardholder data both in-flight and at rest, allowing merchants to benefit from card-on-file billing & scheduled payments (when required).

Start your Hosted Payment Integration Today! www.elementps.com/partnerwithus/expressapi


June 2011

Element Payment Services, Inc.

14415 S. 50th Street, Suite 200

Phoenix, AZ 85044

To Whom It May Concern:

Element Payment Services, Inc. (“Element”) engaged Trustwave Holdings, Inc. (“Trustwave”) to

conduct a third party assessment of Hosted Payments 2.0 (“Hosted Payments”) an integration

method to its Express Processing Platform (“Express”). ISVs using Hosted Payments leverage

Element’s PCI DSS compliant processing platform to accomplish fully integrated payment

processing. The primary objective of the assessment was to determine applicability of the

Payment Card Industry Data Security Standard (“PCI DSS”) and the Payment Application Data

Security Standard (“PA-DSS”) to software applications integrated to Express via Hosted

Payments.

Based on Trustwave’s independent evaluation and application testing of Hosted Payments, and

a review of implementation documentation provided by Element, Trustwave has determined

that:

Element is listed as a Level 1 PCI DSS compliant service provider, most recently validated in

November 2010, and offers a suite of processing technologies that includes Hosted Payments.

Hosted Payments eliminates the need for integrated software vendor’s (“ISV’s”) applications to

store, process or transmit cardholder data as a part of authorization and settlement. PCI DSS

only applies in environments where credit card numbers are stored, processed or transmitted.

Those ISVs, assuming they (or their applications) do not otherwise store, process or transmit

cardholder data, are eliminated from PCI scope and compliance costs.

Hosted Payments meets the definition of a hosted application as defined by the Payment Card

Industry Security Standards Council (“PCI SSC”). As a hosted application, ISVs with integrated

software applications that utilize Hosted Payments to process payments are not required to

undergo a PCI PA-DSS audit when implemented according to Element’s specifications. Element’s

processing platform and payment technologies (including Hosted Payments) are validated on an

annual basis for PCI compliance.

Sincerely,

Keith SwiatDirector, Payment Application Practice, Trustwave


A QSA Validated Solution

About Element


Headquartered in Chandler, Arizona, Element Payment Services, Inc., a Vantiv company (NYSE: VNTV), is an industry leading software business that develops PCI DSS compliant technology designed to secure the processing, transmitting, and storing of payment card related data. Element’s technology is deployed through partnerships with point of entry hardware vendors, systems dealers and independent software providers. Engineered using Service-Oriented Architecture, Element’s Express Processing Interface allows for easy integration and supports advanced technologies including tokenization and point-to-point encryption (P2PE).

transform hosted paymentshosted payments in response to a growing number of data security breaches,...

Documents