Point to Point Encryption
On Guard
On-Guard encryption is supported on Ingenico terminals only. Simplify using On-Guard can be operated as part of a PCI P2PE-validated solution (Safe-T Link with P2PE Protect).
Voltage
Elavon’s Fusebox platform supports the Voltage SecureData Payments applications to enable our customers to implement a complete solution for P2PE using:
- Voltage SecureData Payments POS Software Development Kit (SDK)
- Voltage SecureData Payments Host Software Development Kit (SDK)
- Voltage Secure Data Management Console
- Voltage Key Management Server (operating as an HSM or Hardware Security Module)
- Voltage SecureData Simple API
The Voltage solution is available on Ingenico terminals only. The TEP2 is the only Voltage format supported at this time. TEP2 offers Format Preserving Encryption where the BIN and last 4 of the account number are preserved. Simplify is integrated with TEP2 encryption.
See the Simplify Developer Guide for more information.
Point to Point Encryption in the Elavon Gateway Message
Point-to-Point Encryption in the Elavon Gateway Message is supported with Ingenico On-Guard or Voltage, and Verifone VeriShield Total Protection.
Verifone VeriShield Total Protection
Elavon has purchased and implemented Verifone VeriShield Total Protection applications and infrastructure to build a complete solution for P2PE using the Verifone (formerly Semtek) HSM (Hardware Security Module) boarding and monitoring components of the Verifone product family.
The Verifone solution is available with specific Verifone terminals.
Verifone P2PE utilizes format preserving encryption and can be integrated into multiple industries, payment types, and merchant environments. The Verifone VeriShield Protect solution can be used with Simplify or you can bring your own device and integrate directly to the Verifone hardware. Confirm that hardware meets the minimum requirements for VeriShield Crypto Library (VCL), Derived Key or Unique Key per Device, and cardless registration. For more information, refer to the and the Simplify Developer Guide for more information.
The combination of a Chain Code, Location, Terminal ID, device serial number and encryption provider in the incoming message and the Site ID boarded with criteria unique to a customer and integration will allow for an encrypted card swipe (or encrypted manually entered card) to be decrypted in the Fusebox gateway with the VSP service.
Elavon Gateway Message API Fields used in P2PE
The following Elavon Gateway Message API fields are utilized in P2PE:
0003 (Account Number)
- Description: The account number field will be left blank when sending transactions to Simplify unless a manual transaction entry is desired on the encrypting device.
- To prompt for manual entry on Simplify, pass 3, K (with K for manually keyed).
- For Bring Your Own Device, encrypted track data must be presented as delimited base64 or plain ASCII.
- The combined length of the two ciphers plus sentinels will not exceed 255 Bytes in length. The required format is: 0003,%[Track 1 cipher]?;[Track II cipher]?
- The sentinels are a requirement to maintain track identification. Regardless of format, extraneous sentinels or delimiters will be discarded post decryption. In those cases the sentinels are supplied (format preserving), then the POS need not add them. - Simplify can be configured to support SAF (Store and Forward} processing for timed-out (offline) transactions, using one of the following methods:
- POS SAF – Simplify sends a response that allows the transaction to be locally approved or declined by the POS (Stand-in process). If approved, the POS resubmits the transaction (through Simplify or directly to Fusebox) for host approval.
- On-Device SAF (version 28 and above) – Simplify performs Stand-in and SAF processing.
- Size: 1 - 128
- Data Type: A/N
- Simplify, Voltage or POS: Simplify or POS
note
For POS SAF, the response from Simplify will provide encrypted track or account number, which can be stored locally in the POS until the transaction is resubmitted to Fusebox. The customer is responsible for making this data unrecoverable after completion of the authorization process.
0004 (Expiration Date)
- Description:
- Valid Values:
- The expiration date field will be left blank when sending transactions to Simplify.
- The expiration date is returned in the response and must be stored in the POS for future transactions.
- A valid expiration date is required to submit a new transaction (with the exception of a return, where the return can be processed to an expired card).
- Verifone VSP special processing.
- With Verifone the expiration date is modified when the card data is encrypted.
- For Classic Key, 32 years is added to the expiration date. For Derived Key, 44 years is added to the expiration date.
- For Bring Your Own Device with Verifone VSP, note that the expiration date from the device will not match the card expiration date.
- Size: Date, 4, MMYY
- Data Type: N
- Simplify, Voltage or POS: Simplify and POS
0050 (CVV2 or CVC20 or CID)
- Description:
- Valid Values:
- Voltage Only
- If a card is manually entered at the terminal, the CVV2 or CVC2 or CID will be encrypted before being passed to Fusebox. This encrypted value may be up to 10 characters long and alphanumeric.
- For Bring Your Own Device integration with Voltage
- The POS may need to pass this information from the device directly to Fusebox.
- Voltage Only
- Size: 3 - 10
- Data Type: A/N
- Simplify, Voltage or POS: Simplify, Voltage or POS
1008 (Masked Account Number Token Request field)
- Description:
- Although tokenization is not required for P2 PE, it is required for two-part or complex lifecycle transactions (lodging and fine dining).
- One part (sale) transactions are strongly recommended to use tokens. Without a token in the POS, there is no value to present to Fusebox on future transactions (void or return).
- Size: 1 - 21
- Data Type: A/N
- Simplify, Voltage or POS: POS
5002 (Device Serial Number)
- Description:
- In Bring Your Own Device integration with Voltage, the POS will need to send the serial number from the device.
- In Store and Forward processing, the serial number of the original device must be passed with the original Chain Code, Location, Terminal ID, and encrypted data from the original transaction.
- Size: 1 - 20
- Data Type: A/N
- Simplify, Voltage or POS: Simplify, Voltage or POS
5004 (Encryption Provider ID)
- Description:
- a) S1 = Verifone Classic Key (not available for new implementations)
- b) V1 = Verifone Derived Key
- A site boarded for P2PE will error if the encryption provider ID is not supplied or if the data is not properly encrypted when processed to the Chain Code, Location, Terminal ID, and serial number.
- Size: 1 - 20
- Data Type: A/N
- Simplify, Voltage or POS: POS
- Encryption Provider ID
- G2 = Voltage type TEP2
- G3 = Voltage type TEP3
note
- A site boarded for P2PE will error if the encryption provider ID is not supplied or if the data is not properly encrypted when processed to the Chain Code, Location, Terminal ID, and serial number. Only TEP2 and OG = On-Guard are supported
5004 (Error)
- Description:
- IF A TERMINAL’S tc_e2e_device_type (FROM THE TERMINAL CONTROL RECORD) IS LOADED WITH A VALUE AND THE TERMINAL REQUEST MESSAGE DID NOT CONTAIN A MATCHING VALUE IN gwa_e2e_device_type (API FIELD 5004) * “ OR “ A CARD TOKEN (API FIELD 0003), WE REJECT THE MESSAGE WITH
- API_1003_TERM_RESP_CODE = 0286
- API_1010_TERM_RESP_TEXT = CARD NOT ENCRYPT
- API_1004_HOST_RESP_TEXT = CARD NOT ENCRYPT
- Size: 1 - 20
- Data Type: A/N
- Simplify, Voltage or POS: Voltage or POS
5005 (Encryption Transaction Block)
- Description:
- Valid Values:
- This is a Voltage value supplied by the terminal as the ETB with all encrypted transactions and used to decrypt the account number supplied in API Field 3. The data will be in Base 64 format of up to 512 bytes of data.
- In a Bring Your Own Device integration with Voltage, the POS will need to send the Encryption Transaction Block from the device.
- Size: 1 - 512
- Data Type: A/N
- Simplify, Voltage or POS: Simplify, Voltage or POS