How to reduce the burden of PCI DSS compliance while relying on a secure omni-channel payment solution?
By removing sensitive cardholder data from the merchant's in-store environment our PCI certified Point-To-Point Encryption (P2PE) solution is designed to reduce the burden of PCI DSS compliance as well as operational and compliance costs. The solution has been developed in partnership with Mastercard Payment Gateway Service. Both companies have a long-standing partnership, providing secure payment solutions specifically designed for our train and transit operators in the UK and Ireland.
To move our technology to the next level, we teamed up with Mastercard Payment Gateway Services, a well-known and trusted payments provider, capable of enhancing consumer experience, ensuring the highest level of security and utilising the latest technology and payment innovations.
The requirements for a forward-looking solution were simple and clear:
- A highly secure and scalable payment processing platform for unattended ticket machines, including omni-channel tokenisation to support tickets purchased online and collected at self-service terminals at train stations.
- A fast, reliable and fully managed Point-To-Point Encryption (P2PE) solution to securely remove sensitive payment data from merchants' systems and reduce the cost associated with PCI compliance, whilst providing the best in class integration to existing ticket machines and offering flexibility to both operators and consumers.
- Integration of innovative solutions, like Apple Pay and contactless.
- Quick and efficient implementation across multiple UK locations.
By working collaboratively, Mastercard Payment Gateway Services was able to meet those requirements and offer a unique solution that not only addressed the customer's existing challenges but also helped to future proof their business.
The PCI certified Point-To-Point Encryption (P2PE) technology encrypts sensitive cardholder data at the point of in-store card acceptance, thus rendering the data useless, if it fell into the hands of a cyber-criminal. Once encrypted, cardholder data remains encrypted until it reaches Mastercard’s omni-channel payment gateway environment, where it is decrypted for onward bank processing.
The solution is designed to reduce the burden of PCI DSS compliance, remove sensitive cardholder data from the merchant's in-store environment and reduce operational and compliance costs.
The P2PE standard is comprised of six domains:
- Encryption Device Management
- Application Security
- Merchant Encryption Environment
- Segmentation between Encryption and Decryption Environments
- Decryption Environment
- P2PE Key Management Operations
Mastercard Payment Gateway Services has elected to validate against the requirements of the PCI-DSS P2PE hardware/hardware specification and utilise hardware based encryption and decryption. This means that secure cryptographic devices are employed for both encryption and decryption.
Additionally, their industry leading Tokenisation solution, which converts sensitive card data into secure omni-channel tokens, allows merchants to provide an enhanced consumer experience across different channels, by facilitating the increasingly popular click & collect model. That removes the need to store the card data within the merchant's environment and further reduces their PCI scope.
To make the payment journey even more convenient, consumers who make their purchases at physical locations/train stations, as opposed to online, can benefit from the speed and efficiency of the contactless technology, using either their card or a mobile phone/smart watch to complete the payment with a simple tap.
Each stage of the implementation was carefully planned and executed, ensuring that the following phase of the project was being prepared to go live at the same time. Mastercard Payment Gateway Services worked with us to agree specific criteria to not only outline what the pilot would include, where it would be completed and how long it would last, but also to clearly identify at the end of this timeframe whether the pilot had been successful.
The full P2PE encrypted traffic went live during the summer of 2017 and currently includes the following services:
- Processing authorisations, settlement and Point-To-Point Encryption.
- Deployment of Verifone's UX series unattended PIN pad devices into customer locations for readiness of P2PE rollout.
- Using Scheidt & Bachmann's in-house developed payment client application, operating on VeriFone's UX series devices and consuming our gateway on a "host to host" basis, ensuring consistency and the highest quality of service.
- Implementing contactless technology into most transit operations and seeing significant uplift in contactless transactions – approximately 20-25% of card payments currently being made via a contactless enabled device.
- Supporting Cardholder Present transactions to over 75% of all the UK & Ireland's major transit operation companies.
- Processing over 50 million transactions per annum, showing significant rise from 2016.
Throughout the partnership, Mastercard Payment Gateway Services has continuously expanded their services for additional client projects:
- Maintaining a highly flexible contract, with continuously evolving requirements to ensure all of the latest industry standards and consumer demands are met.
- Supporting Scheidt & Bachmann's customers through numerous mandate changes, including the mandate to support contactless payments in an unattended environment.
- With our specialist Acquirer Certification team, we worked proactively to ensure we remain ahead of these mandated requirements, and were one of the first payment system providers to gain contactless approval with the Acquiring banks.
Scheidt & Bachmann's unrivalled systems combined with Mastercard Payment Gateway Services' unique technology enabled merchants to benefit from a secure omni-channel payment solution, which proved to deliver exceptional results, whilst utilising the latest innovation and significantly reducing the PCI scope.