Point to Point Encryption
On-Guard encryption is supported on Ingenico terminals only. Simplify using On-Guard can be operated as part of a PCI P2PE-validated solution (Safe-T Link with P2PE Protect).
Elavon’s Fusebox platform supports the Voltage SecureData Payments applications to enable our customers to implement a complete solution for P2PE using:
- Voltage SecureData Payments POS Software Development Kit (SDK)
- Voltage SecureData Payments Host Software Development Kit (SDK)
- Voltage Secure Data Management Console
- Voltage Key Management Server (operating as an HSM or Hardware Security Module)
- Voltage SecureData Simple API
The Voltage solution is available on Ingenico terminals only. The TEP2 is the only Voltage format supported at this time. TEP2 offers Format Preserving Encryption where the BIN and last 4 of the account number are preserved. Simplify is integrated with TEP2 encryption.
See the Simplify Developer Guide for more information.
Point to Point Encryption in the Elavon Gateway Message
Point-to-Point Encryption in the Elavon Gateway Message is supported with Ingenico On-Guard or Voltage, and Verifone VeriShield Total Protection.
Verifone VeriShield Total Protection
Elavon has purchased and implemented Verifone VeriShield Total Protection applications and infrastructure to build a complete solution for P2PE using the Verifone (formerly Semtek) HSM (Hardware Security Module) boarding and monitoring components of the Verifone product family.
The Verifone solution is available with specific Verifone terminals.
Verifone P2PE utilizes format preserving encryption and can be integrated into multiple industries, payment types, and merchant environments. The Verifone VeriShield Protect solution can be used with Simplify or you can bring your own device and integrate directly to the Verifone hardware. Confirm that hardware meets the minimum requirements for VeriShield Crypto Library (VCL), Derived Key or Unique Key per Device, and cardless registration. For more information, refer to the Verifone VeriShield Total Protection Integration Guide and the Simplify Developer Guide for more information.
The combination of a Chain Code, Location, Terminal ID, device serial number and encryption provider in the incoming message and the Site ID boarded with criteria unique to a customer and integration will allow for an encrypted card swipe (or encrypted manually entered card) to be decrypted in the Fusebox gateway with the VSP service.
Elavon Gateway Message API Fields Used in P2PE
The following Elavon Gateway Message API fields are utilized in P2PE:
|API Field||Description||Characteristics||Simplify, Voltage or POS|
The account number field will be left blank when sending transactions to Simplify unless a manual transaction entry is desired on the encrypting device. To prompt for manual entry on Simplify, pass 3, K (with K for manually keyed).
For Bring Your Own Device, encrypted track data must be presented as delimited base64 or plain ASCII. The combined length of the two ciphers plus sentinels will not exceed 255 Bytes in length. The required format is:
0003,%[Track 1 cipher]?;[Track II cipher]?
The sentinels are a requirement to maintain track identification. Regardless of format, extraneous sentinels or delimiters will be discarded post decryption. In those cases the sentinels are supplied (format preserving), then the POS need not add them.
Simplify can be configured to support SAF (Store and Forward} processing for timed-out (offline) transactions, using one of the following methods:
For POS SAF, the response from Simplify will provide encrypted track or account number, which can be stored locally in the POS until the transaction is resubmitted to Fusebox. The customer is responsible for making this data unrecoverable after completion of the authorization process.
Refer to the Simplify Developer Guide for more information.
A/N 1-128 Characters
Simplify or POS
The expiration date field will be left blank when sending transactions to Simplify.
The expiration date is returned in the response and must be stored in the POS for future transactions. A valid expiration date is required to submit a new transaction (with the exception of a return, where the return can be processed to an expired card).
Verifone VSP special processing. With Verifone the expiration date is modified when the card data is encrypted. For Classic Key, 32 years is added to the expiration date. For Derived Key, 44 years is added to the expiration date.
For Bring Your Own Device with Verifone VSP, note that the expiration date from the device will not match the card expiration date.
N, Date, 4 MMYY
Simplify and POS
CVV2 or CVC2 or CID
If a card is manually entered at the terminal, the CVV2 or CVC2 or CID will be encrypted before being passed to Fusebox. This encrypted value may be up to 10 characters long and alphanumeric.
For Bring Your Own Device integration with Voltage
The POS may need to pass this information from the device directly to Fusebox.
A/N 3-10 Characters
Simplify , Voltage or POS
Masked Account Numberand Token Requestfield
Although Tokenization is not required for P2PE, it is required for two-part or complex lifecycle transactions (lodging and fine dining). One part (sale) transactions are strongly recommended to use tokens. Without a token in the POS, there is no value to present to Fusebox on future transactions (void or return).
Device Serial Number
In Bring Your Own Device integration with Voltage, the POS will need to send the serial number from the device.
Note: In Store and Forward processing, the serial number of the original device must be passed with the original Chain Code, Location, Terminal ID, and encrypted data from the original transaction.
A/N 1-20 Characters
Simplify, Voltage or POS
Encryption Provider ID
a) S1 = Verifone Classic Key (not available for new implementations)
b) V1 = Verifone Derived Key
Note:A site boarded for P2PE will error if the encryption provider ID is not supplied or if the data is not properly encrypted when processed to the Chain Code, Location, Terminal ID, and serial number.
A/N 1-20 Characters
Encryption Provider ID
G2 = Voltage type TEP2
G3 = Voltage type TEP3
A site boarded for P2PE will error if the encryption provider ID is not supplied or if the data is not properly encrypted when processed to the Chain Code, Location, Terminal ID, and serial number.
Only TEP2 and OG = On-Guard are supported.
IF A TERMINAL’S tc_e2e_device_type (FROM THE TERMINAL CONTROL RECORD) IS LOADED WITH A VALUE AND
THE TERMINAL REQUEST MESSAGE DID NOT CONTAIN A MATCHING VALUE IN gwa_e2e_device_type (API FIELD 5004)
* “ OR “ A CARD TOKEN (API FIELD 0003), WE REJECT THE MESSAGE WITH THE FOLLOWING RESPONSE CODE/TEXT.
API_1003_TERM_RESP_CODE = 0286
API_1010_TERM_RESP_TEXT = CARD NOT ENCRYPT
API_1004_HOST_RESP_TEXT = CARD NOT ENCRYPT
|Voltage or POS|
Encryption Transaction Block
This is a Voltage value supplied by the terminal as the ETB with all encrypted transactions and used to decrypt the account number supplied in API Field 3. The data will be in Base 64 format of up to 512 bytes of data.
In a Bring Your Own Device integration with Voltage, the POS will need to send the Encryption Transaction Block from the device.
A/N 1-512 Characters
Simplify, Voltage or POS