Hi payment pros,

I'm just curious about the various existing virtual terminal solutions, many of them are PA-DSS certified and also offering some hardware add-on for card swiping which I assume are PCI PTS aka PED certified.

So if I use a this solution, I could say I use an end-to-end encrpytion and
therefore PCI is out-of-scope, as all solution are using some kind of SSLv3/TLS
transport layer and no sensitive data needs to be saved for this online transaction process, at no point and merchant only get's back the usual payment details & confirmation.

So if you are in Europe, many times you have to use an EMV Level 2 certified
software kernel to access the low level calls to the card reader.

Does anyone know if there is such kind of certified virtual terminal/payment processing solution available in Europe?

Also auto-fill in capabilities from the card reader to these virtual terminal solutions?

Thanks,
Gerald

Lets clarify a couple of confusing assumptions here.
1.
PCI PED = assurance over PIN entry and PIN encryption key management, and is oriented as a hardware/firmware certification, not software.

PCI PTS is an additional overlay on PCI PED.
If the device is not used for PIN entry, it probably isn't PCI PED certified, nor secure.

2. PCI DSS still applies on the device doing the encryption as the card data is also present in unencrypted form. Its only 'down stream' devices/infrastructure that may/may be out of scope if the card data cannot ever be decrypted in that downstream device/infrastructure.

3. Often (not always), the response message includes PAN and or Track 2 as well as the authorisation response, depending on the payment gateway and the functionality it provides. This will put the originating device back into scope.


lyalc

Lets clarify a couple of confusing assumptions here.
1.
PCI PED = assurance over PIN entry and PIN encryption key management, and is oriented as a hardware/firmware certification, not software.

PCI PTS is an additional overlay on PCI PED.
If the device is not used for PIN entry, it probably isn't PCI PED certified, nor secure.

2. PCI DSS still applies on the device doing the encryption as the card data is also present in unencrypted form. Its only 'down stream' devices/infrastructure that may/may be out of scope if the card data cannot ever be decrypted in that downstream device/infrastructure.

3. Often (not always), the response message includes PAN and or Track 2 as well as the authorisation response, depending on the payment gateway and the functionality it provides. This will put the originating device back into scope.


lyalc


Hi lyalc,

first of all, many thanks for your quick reply!

I thought PED falls into the (new) PCI SSC PTS compliance category, through the fact the SSC realized Pin Transaction Security is a broader topic than just focusing on the PIN Pad itself - anyway.

How can PCI DSS apply, if you use a virtual terminal solution, where you connect through a traditional https/TLS communication layer and using their PCI PA-DSS approved frontend (applets whatever)? So even typing in the customer details, this is all done server-side only?


Thanks for clarification and my lame background,
Gerald

The PCI DSS applies from the standpoint that ultimately a merchant will implement this solution and it must also comply with the PCI DSS in that environment.

It's great that the PA-DSS is followed and everything is secure from that standpoint. However, in most cases, once it's out in the field, the person implementing it there can implement it in an insecure fashion and some or all of your PA-DSS controls can be possibly circumvented because of the poor final implementation.

The merchant can choose weak encryption keys. They can put the solution on a non-switched network. They could use shared accounts and passwords. The list goes on and on. As a result, there are numerous things that are outside of your control that could happen, all of which have the potential impact on the security of the solution even though it is PA-DSS certified.