Posted February 20, 2017 by FreedomPay

Retailers Plan to Invest in Omnichannel Excellence

Customers may not understand the term omnichannel, but they know they like it. A buyer expects a seamless experience that bridges the gap across in-store, web and mobile.

Behind the scenes, the retailer may be left with a whirl of managing disparate systems like point-of-sale, payment processors and incentive engines. But the customer doesn’t care about these struggles. The entire customer experience across all touch points should deliver a safe, secure and uniform experience.

Connected consumers aren’t going away, and retailers are still struggling with that fact. Forrester estimates B2B e-commerce will top $1.1 trillion and account for 12.1% of all B2B sales in the U.S. by 2020. On the consumer side, Forrester has forecast B2C e-commerce will grow to $480 billion in online sales by 2019.

Presenting a single face to the customer requires a deep integration of payment systems with a high-performance, secure user experience. That’s where retailers plan to invest in 2017, according to the RSR Research benchmark report. The research shows improved payment security is among retailers’ top priorities for 2017. Additionally, budgets show one in four retailers will implement analytics to evaluate cross-channel data over the next year, in efforts to understand and optimize omnichannel sales.

FreedomPay recognizes the challenge facing retailers implementing omnichannel experiences, and offers a unique system of three secure payment solutions to reduce PCI compliance requirements and deliver retailers data security for payments across their many channels.

  1. FreedomPay’s Hosted Payment Page for ecommerce transactions is a white-labeled responsive design solution for accepting user payment information, authorizing transactions, and returning a tokenized authorization.
  2. With FreedomPay’s Payment Information Proxy, transaction and cardholder data from third party sites, like Online Travel Agencies, is captured and tokenized prior to entering a point-of sale or property management system enabling merchants to maintain PCI compliance.
  3. FreedomPay’s Virtual Terminal solution with PCI- validated P2PE secures card-not-present transactions for inbound phone and back-office transactions by removing sensitive cardholder data from network environments.

As the world of commerce changes, so do the payment systems that support it. By combininig FreedomPay’s three-tiered approach to omnichannel payments with their card-present payment security, FreedomPay provides retailers a growth platform that requires minimal reinvestment or operational overhead. If you’re investing in omnichannel, safeguard your investment with an enterprise payments platform that supports you and your customers every step of the way.

Posted February 07, 2017 by FreedomPay

Listed versus Non-Listed P2PE Solutions: What You Need To Know

The PCI Security Standards Council (PCI-SSC) recently released an assessment methodology for merchants using Point-to-Point Encryption (P2PE) solutions that have not yet been listed on the council’s website. The addition of the Non-Listed Encryption Solution Assessment (NESA) and the accompanying audit process provides merchants an expanded pool of encryption solutions beyond the current list of validated providers, allowing for a wider range of security offerings. Before deciding between a listed or a non-listed solution, however, it important to understand the assessment requirements of each as it relates to the solution provider as well as the merchant.

The process for becoming a listed solution with the PCI-SSC begins with an audit performed by an independent, third party, Qualified Security Assessor (QSA) who has been certified for P2PE assessments. During this assessment, the P2PE QSA will evaluate the solution against the relevant controls outlined in the following six P2PE Domains:

  • Domain 1: Encryption Device and Application Management
  • Domain 2: Application Security
  • Domain 3: P2PE Solution Management
  • Domain 4: Merchant Managed Solutions (not applicable to 3rd party solution providers)
  • Domain 5: Decryption Environment
  • Domain 6: P2PE Cryptographic Key Operations and Device Management

For each applicable control, the P2PE QSA will collect evidence from the solution environment, and observe all required procedures to ensure compliance with the standard. The results of the assessment are then documented using the P2PE Report on Validation (P-ROV) template which is submitted directly to the PCI-SSC for final review. Once a representative of the PCI-SSC has approved and signed the submitted P-ROV, the solution will receive an official listing on the PCI website.

Since the PCI-P2PE standard is still relatively new, and the process of implementing and validating a new or existing solution can be quite lengthy, the NESA process gives solution providers the ability to provide a degree of security assurance to customers, along with limited scope reduction, while they work towards a validated listing. Much like the process for becoming a listed solution, non-listed solution providers need to engage a P2PE QSA to perform an assessment of their solution. The requirements for this type of assessment, however, have been relaxed in that a non-listed solution assessment can be completed without meeting the requirements for P2PE Domains 1, 2, or 3, but must meet all applicable requirements of Domains 5 and 6. Though the QSA will still complete a P-ROV for informational purposes, the end result of this assessment will also include a set of documents (referred to as the NESA documentation) which will include:

  • A description of the solution
  • A summary of the application’s full compliance, partial compliance, or non-compliance with Domains 1,2, and 3
  • A statement of compliance confirming the applicable requirements of Domains 5 and 6 are met
  • The assessing P2PE QSA’s recommendation as to how the solution impacts the merchants PCI scope

This set of documents serves the same purpose as a listed solution’s P-ROV or Attestation of Validation (AOV), without being submitted to the PCI Council or the Payment Brands, and will be used by PCI QSA’s when assessing the PCI compliance of a merchant utilizing the non-listed solution. As with standard PCI certification documentation, this NESA documentation should be distributed to clients on an annual basis, and whenever there are significant changes to the system.

At the merchant level, the difference between implementing a listed versus a non-listed solution becomes apparent during the annual PCI-DSS re-certification. A merchant using a listed solution in accordance with the solution providers P2PE Instruction Manual (PIM) and the pre-requisites of the SAQ P2PE automatically qualifies for a drastic reduction in PCI scope when assessing their environment, because the security and isolation of credit card data has been verified by a representative of the PCI-SSC. This same level of scope reduction is not guaranteed with a non-listed solution, and will depend on what is permitted by the merchant’s acquirer as well as the payment brands. In some cases, the acquirer or payment brands may require the aid of a PCI QSA to review the solution provider’s NESA documentation and the merchant’s implementation of the solution to determine what PCI-DSS requirements are covered, and to what degree. The results of this secondary solution assessment will determine which areas of the merchant environment are in scope of PCI, but will not qualify the merchant to utilize the SAQ P2PE.

Now that the door has been opened for the use of non-listed solutions that can still provide a measure of client scope reduction, it’s up to the merchants to determine what they are comfortable with in terms of controls evaluated by the solution provider, and the effort required on their end to properly implement the solution and maintain compliance. Listed or Non-Listed, the choice is yours, but merchants using a non-listed solution need to know they may be subject to additional assessments which could result in additional long-term costs.

FreedomPay’s PCI-validated P2PE solution is a listed solution, and delivers merchants all the PCI-scope reducing benefits listed above. To learn more about FreedomPay’s payment security solutions visit here.