pci p2pe - world's first pci-p2pe certified mpos app
DESCRIPTION
“Mobile Point-Of-Sale is not just for micro merchants,” says David Gudjonsson, CEO and Co-founder of Handpoint. There has been tremendous adoption of mPOS by micro-merchants, but security compliance and IT integration have created cost and complexity barriers for larger merchants. Our system has been designed from the ground up to overcome these challenges; the combination of our API and P2PE security significantly reduces the time and cost it takes for merchants to introduce Chip and PIN payments with mobile devices.”TRANSCRIPT
Introduction
Handpoint mobile POS offers any merchant, from market traders to multinational retailers, a simple and secure way to accept Chip and PIN card payments with a mobile device. The company turned to information security experts Foregenix for the PCI P2PE accreditation process, and the results enabled Handpoint to become the first company in the world to become PCI P2PE certified for a Mobile POS application.
About Handpoint
Handpoint is an mPOS platform provider, enabling developers to add highly secure EMV payments to their applications. With 13 years’ experience in the payments market, the company and its senior executives pioneered major innovations in the mobile payments market, including developing Mobile Point-Of-Sale (MPOS) for the airline industry in 2003 and the world’s first Chip and PIN mPOS solution for a handheld device at Manchester United FC’s stadium in 2007.
Handpoint works closely with major payment players including Visa and MasterCard, and its new mPOS solution meets the most stringent mobile payment security standards in the world.
www.handpoint.com
The Challenge
In 2008 Handpoint recognised the potential for mobile technology as a flexible, cost effective way for merchants of all sizes to accept payments, so set about developing its mobile POS solution. However, Handpoint was always aware of the potential security risks surrounding mobile devices like smartphones and tablets and knew ensuring safe payments would be vital to succeed.
“Mobile Point-Of-Sale is not just for micro merchants,” says David Gudjonsson, CEO and Co-founder of Handpoint. “There has been tremendous adoption of mPOS by micro-merchants, but security compliance and IT integration have created cost and complexity barriers for larger merchants. Our system has been designed from the ground up to overcome these challenges; the combination of our API and P2PE security significantly reduces the time and cost it takes for merchants to introduce Chip and PIN payments with mobile devices.
“This means that all merchants, irrespective of size, can focus on how mPOS can transform the customer experience they provide. We identified point-to-point encryption (P2PE) as a solution to help us overcome the security, compliance and integration barriers that have prevented enterprise retailers from embracing mobile payments. But we didn’t want to stop there, it has always been our mission to offer the most secure mobile POS solution available on the market, so we wanted to be the first mobile POS company to offer a PCI P2PE certified payment application.”
P2PE means that no payment card data is stored in retailer’s own systems ensuring that security-levels are maintained and any risk of fraud or data-loss is minimised. The PCI-certified P2PE application sits on the EMV I+II and PCI-PTS v.3x (SRED) accredited Handpoint card reader, and not on a smartphone or tablet. The system immediately encrypts card data on the card reader and transmits it to the bank via Handpoint’s PCI-DSS compliant Gateway. This architecture takes the smartphone or tablet payment application out of scope for further certifications.
The auditing process for official certification is intensive, with businesses having to verify that they operate in accordance with the full PCI DSS criteria for P2PE applications, including very specific technical requirements. This includes everything from product design and software code, business processes, manufacturing, documentation and more.
“The more we looked into the certification process the more we realised just how intensive it was going to be. We knew we would need the support of an expert if we were going to be the first on the market to gain the accreditation for an mPOS solution,” Steinar Sigmarsson CSA at Handpoint.
Case StudyForegenix secures Handpoint as the world’s first PCI-accredited P2PE Mobile POS application
The Solution
Handpoint turned to Foregenix and its industry leading Qualified Security Assessors (QSAs) to support the development of its P2PE application and the accreditation process. The P2PE certification process was completed in three steps including pre-compliance/gap analysis, application testing and a final compliance audit.
“We chose Foregenix because of its experience in electronic payments security and good reputation” explained Steinar. “It was easy to explain our solution to Foregenix, and their in-depth consultative approach meant we had a clear understanding of the P2PE accreditation requirements and options relevant to us from the beginning.”
As the first step in the process, Foregenix worked with Handpoint to build a structured framework that established a baseline level of compliance and addressed any areas of non-compliance. This included a review of the solution specifications and internal processes with regards to the secure handling of card readers and software.
Steinar continued, “Once this was complete we set about filling in the gaps, all under the guidance of Foregenix. This approach proved essential in ensuring we were making the right decisions and updates from day one, potentially saving us a huge amount of time and money in the long run.”
Once Handpoint had completed the necessary documentation and software updates, it was time to undergo the final assessment. Carried out by a Foregenix P2PE Qualified Security Consultant (P2PE-QSA), this included a review of the final solution documents, a code review on the payment software and interviews with Handpoint‘s staff. The solution was also submitted for further examination by Foregenix‘s test lab. Once Handpoint’s P2PE application had been validated by Foregenix, the solution documents were submitted to the Payment Card Industry Security Standards Council (PCI SSC) for the final stamp of approval.
The Results
Achieved the world’s first PCI P2PE certified mPOS application
Decreased PCI burden for Handpoint mPOS merchants by making it simpler to become compliant
Reduced the cost and time involved in the certification process
“Thanks to the support and expertise provided by Foregenix, we have utilised P2PE to overcome the barriers that have prevented enterprise retailers in Europe from embracing mobile payments. Our PCI-accredited mPOS application reduces the cost and time burden on enterprise retailers to gain individual PCI accreditation, and represents the most secure way to introduce Mobile Point-Of-Sale. The feedback we have received from merchants has been very positive,” David Gudjonsson Handpoint s CEO.
About Foregenix
Foregenix is an independent and specialist data security business that is intrinsic and responsive to the payments industry and has innovation and expertise at the heart of all its activity. Established in 2009, Foregenix offers simple, effective and strategic consultancy services and industry leading data security products to their global client base.
UK Office 8-9 High Street, Marlborough SN8 1AA UK Tel : + 44 (0) 8 45 309 6232 Fax : + 44 (0) 8 45 309 6231
South African Office PO Box 171, River Club 2149, South Africa ZA Tel : +27 860 44 4461 www.foregenix.com