Point to Point Encryption

Point-to-Point Encryption in the Elavon Gateway Message is supported with the Verifone VeriShield Total Protection solution:

Verifone VeriShield Total Protection

Elavon has purchased and implemented Verifone VeriShield Total Protection applications and infrastructure to build a complete solution for P2PE using the Verifone (formerly Semtek) HSM (Hardware Security Module) boarding and monitoring components of the Verifone product family.

The Verifone solution is available with specific Verifone terminals.

Verifone P2PE utilizes format preserving encryption and can be integrated into multiple industries, payment types, and merchant environments. The Verifone VeriShield Protect solution can be used with Simplify or you can bring your own device and integrate directly to the Verifone hardware. Confirm that hardware meets the minimum requirements for VeriShield Crypto Library (VCL), Derived Key or Unique Key per Device, and cardless registration. For more information, refer to the Verifone VeriShield Total Protection Integration Guide .

The combination of a Chain Code, Location, Terminal ID, device serial number and encryption provider in the incoming message and the Site ID boarded with criteria unique to a customer and integration will allow for an encrypted card swipe (or encrypted manually entered card) to be decrypted in the Fusebox gateway with the VSP service.

Voltage

Elavon’s Fusebox platform supports the Voltage SecureData Payments applications to enable our customers to implement a complete solution for P2PE using:

  • Voltage SecureData Payments POS Software Development Kit (SDK)
  • Voltage SecureData Payments Host Software Development Kit (SDK)
  • Voltage Secure Data Management Console
  • Voltage Key Management Server (operating as an HSM or Hardware Security Module)
  • Voltage SecureData Simple API

The Voltage solution is available on Ingenico terminals only. The TEP2 is the only Voltage format supported at this time. TEP2 offers Format Preserving Encryption where the BIN and last 4 of the account number are preserved. Simplify is integrated with TEP2 encryption.

On-Guard encryption is supported on Ingenico terminals only. Simplify using On-Guard can be operated as part of a PCI P2PE-validated solution.
Validation is specifically performed through Safe-T Link with P2PE Protect.

See the Simplify Developer Guide for more information.

Elavon Gateway Message API Fields Used in P2PE

The following Elavon Gateway Message API fields are utilized in P2PE:

API Field Description Characteristics Simplify, Voltage or POS

0003

Account Number

The account number field will be left blank when sending transactions to Simplify unless a manual transaction entry is desired on the encrypting device. To prompt for manual entry on Simplify, pass 3, K (with K for manually keyed).

For Bring Your Own Device, encrypted track data must be presented as delimited base64 or plain ASCII. The combined length of the two ciphers plus sentinels will not exceed 255 Bytes in length. The required format is:

0003,%[Track 1 cipher]?;[Track II cipher]?

The sentinels are a requirement to maintain track identification. Regardless of format, extraneous sentinels or delimiters will be discarded post decryption. In those cases the sentinels are supplied (format preserving), then the POS need not add them.

For Store and Forward transactions, the response from Simplify will provide encrypted track or account number, which can be stored locally in the POS until the transaction is resubmitted to Fusebox. Refer to the Simplify Developer Guide for more information.

A/N 1-128 Characters

Simplify or POS

0004

Expiration Date

The expiration date field will be left blank when sending transactions to Simplify.

The expiration date is returned in the response and must be stored in the POS for future transactions. A valid expiration date is required to submit a new transaction (with the exception of a return, where the return can be processed to an expired card).

Verifone VSP special processing. With Verifone the expiration date is modified when the card data is encrypted. For Classic Key, 32 years is added to the expiration date. For Derived Key, 44 years is added to the expiration date.

For Bring Your Own Device with Verifone VSP, note that the expiration date from the device will not match the card expiration date.

N, Date, 4 MMYY

Simplify and POS

0050

CVV2 or CVC2 or CID

Voltage Only

If a card is manually entered at the terminal, the CVV2 or CVC2 or CID will be encrypted before being passed to Fusebox. This encrypted value may be up to 10 characters long and alphanumeric.

For Bring Your Own Device integration with Voltage

The POS may need to pass this information from the device directly to Fusebox.

A/N 3-10 Characters

Simplify , Voltage or POS

1008

Masked Account Number and Token Request field

Although Tokenization is not required for P2PE, it is required for two part or complex lifecycle transactions (lodging and fine dining). One part (sale) transactions are strongly recommended to use tokens. Without a token in the POS, there is no value to present to Fusebox on future transactions (void or return).

A/N 1-21

POS

5002

Device Serial Number

In Bring Your Own Device integration with Voltage, the POS will need to send the serial number from the device.

Note:  In Store and Forward processing, the serial number of the original device must be passed with the original Chain Code, Location, Terminal ID, and encrypted data from the original transaction.

A/N 1-20 Characters

Simplify, Voltage or POS

5004

Encryption Provider ID

a) S1 = Verifone Classic Key (not available for new implementations)

b) V1 = Verifone Derived Key

Note: A site boarded for P2PE will error if the encryption provider ID is not supplied or if the data is not properly encrypted when processed to the Chain Code, Location, Terminal ID, and serial number.

A/N 1-20 Characters

POS

5004

Encryption Provider ID

G2 = Voltage type TEP2

G3 = Voltage type TEP3

Notes:

A site boarded for P2PE will error if the encryption provider ID is not supplied or if the data is not properly encrypted when processed to the Chain Code, Location, Terminal ID, and serial number.

Only TEP2 is supported at this time.

5004 Error

========================================

IF A TERMINAL'S tc_e2e_device_type (FROM THE TERMINAL CONTROL RECORD) IS LOADED WITH A VALUE AND

THE TERMINAL REQUEST MESSAGE DID NOT CONTAIN A MATCHING VALUE IN gwa_e2e_device_type (API FIELD 5004) *

* " OR " A CARD TOKEN (API FIELD 0003), WE REJECT THE MESSAGE WITH THE FOLLOWING RESPONSE CODE/TEXT.

API_1003_TERM_RESP_CODE = 0286

API_1010_TERM_RESP_TEXT = CARD NOT ENCRYPT

API_1004_HOST_RESP_TEXT = CARD NOT ENCRYPT

*=======================================

A/N 1-20

Characters

Voltage or POS

5005

Encryption Transaction Block

This is a Voltage value supplied by the terminal as the ETB with all encrypted transactions and used to decrypt the account number supplied in API Field 3. The data will be in Base 64 format of up to 512 bytes of data.

In a Bring Your Own Device integration with Voltage, the POS will need to send the Encryption Transaction Block from the device.

A/N 1-512 Characters

Simplify, Voltage or POS