PCI Compliance
- Greg Walsh
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). Below is a high-level overview of the 12 PCI DSS requirements.
Build and Maintain a Secure Network and Systems |
|
Protect Cardholder Data |
|
Maintain a Vulnerability Management Program |
|
Implement Strong Access Control Measures |
|
Regularly Monitor and Test Networks |
|
Maintain an Information Security Policy |
|
PCI DSS comprises a minimum set of requirements for protecting account data, and may be enhanced by additional controls and practices to further mitigate risks, as well as local, regional and sector laws and regulations. Additionally, legislation or regulatory requirements may require specific protection of personal information or other data elements (for example, cardholder name). PCI DSS does not supersede local or regional laws, government regulations, or other legal requirements.
PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data and/or sensitive authentication data.  PCI DSS requirements apply to organizations where account data (cardholder data and/or sensitive authentication data) is stored, processed or transmitted.
Cardholder data and sensitive authentication data are defined as follows:
 | |
|---|---|
Account Data | |
Cardholder Data includes:Â | Sensitive Authentication Data includes:Â |
|
|
Overview of Vantiv iFrame Mechanism
Â
When a customer is ready to enter their cardholder data into EngageIP, the EIP server delivers a form to the customer’s web browser and loads the iFrame URL hosted by the Vantiv eProtect server.
The customer enters their Primary Account Number (PAN), security code (card verification values), and expiration date into the iFrame fields and clicks the submit button on the merchant's page calling the eProtect server. Within the hosted iFrame, JavaScript encrypts cardholder data with a 24-hour public-private key pair known only by Vantiv (RSA/ECB/PKCS1 Padding 2048 bits) and sends the encrypted message to the eProtect server via HTTPS/TLS v1.2 (Geotrust Global CA, SHA-1 with RSA 2048 bit encryption) through a third party CDN, using an HTTPS GET request. eProtect returns a non-sensitive, low-value token called a Registration ID in place of the Primary Account Number (PAN).
The EngageIP web page submits the Registration ID and non-cardholder data elements to the EngageIP server for order processing and generates an authorization request once the payment is authorized
Once the authorization request arrives at Vantiv’s payment processing platform, the Registration ID is sent to Vantiv’s data security platform where its detokenized, converted to a high-value token Vantiv’s OmniToken.  This token is encapsulated in a LittleXML response and returned to EngageIP.  EngageIP stores the token as it would a credit card.
Hosted Payment Frame API
The Hosted Payment Frame consists of both a web service and an embeddable web page.
In order to access the web page, a call must first be made to the web service.
If the Hosted Payment Frame is installed at https://example.com/HostedPaymentPage/ then the web service is available at https://example.com/HostedPaymentPage/Services.svc
A SOAP call must be made to https://example.com/HostedPaymentPage/Services.svc with the parameters for the operation.  The web service will then return a URL with an access token embedded into the URL.
This returned URL may then be used as the source for an iframe embedded in a page - that iframe will then display the page for the requested operation.
Web Service
The web service available at https://example.com/HostedPaymentPage/Services.svc has one operation: GetUrl().
GetUrl() must be called with a single Parameters object detailing the operation to be performed.
Parameters contains the following fields:
Field Name | Type | Possible Values | Description |
|---|---|---|---|
CustomerId | integer | Â | A valid account id from in EngageIP. This is the account that all operations will be performed on (i.e. payment methods will be added to this account, payments made from this account, etc.). |
SessionEndDate | DateTime | Any future date | The returned URL will have an expiry time set to this SessionEndDate. After this time has passed, the URL will no longer be valid and accessing the URL will return an error. Note also that any forms that may have been loaded before this time can not be submitted after this time. |
Locale | string | A Microsoft locale string | The locale used to display the requested page. The locale determines the number format, date / time format, currency symbols, and language used (if a translation to the requested language) on the requested page. |
Operation | Enum | One of: ONE_TIME_CREDIT_CARD_PAYMENT | The operation to be performed. |
PaymentTypeID | integer | A Payment Type ID, from the list of Payment Types in the Setup area. | For ONE_TIME_CREDIT_CARD_PAYMENT and ADD_CREDIT_CARD_PAYMENT_METHOD operations, the Payment Type must be a Credit Cardpayment type. For ONE_TIME_CREDIT_CARD_TOKEN_PAYMENT and ADD_CREDIT_CARD_TOKEN_PAYMENT_METHOD, the Payment Type must be a Credit Card Token payment type. |
Sample Request XML
<x:Envelope xmlns:x="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/" xmlns:hos="http://schemas.datacontract.org/2004/07/HostedPaymentPage">
<x:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>admin</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">SomePassword&</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</x:Header>
<x:Body>
<tem:GetUrl>
<tem:parameters>
<hos:CustomerId>153</hos:CustomerId>
<hos:Locale>en-US</hos:Locale>
<hos:Operation>ONE_TIME_CREDIT_CARD_PAYMENT</hos:Operation>
<hos:PaymentTypeID>1</hos:PaymentTypeID>
<hos:SessionEndDate>2016-09-09T00:00:00</hos:SessionEndDate>
</tem:parameters>
</tem:GetUrl>
</x:Body>
</x:Envelope>
Sample Response XML
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2016-09-09T13:22:30.064Z</u:Created>
<u:Expires>2016-09-09T13:27:30.064Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body>
<GetUrlResponse xmlns="http://tempuri.org/">
<GetUrlResult xmlns:a="http://schemas.datacontract.org/2004/07/HostedPaymentPage" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<a:WebPageUrl>https://qa-vm-85264/HostedPaymentPage/Payment/CreditCard/OneTime?Token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJjdWx0dXJlIjoiZW4tVVMiLCJjaWQiOiIxNTMiLCJwbXQiOiIxIiwib3AiOiIwIiwiaXNzIjoic2VsZiIsImF1ZCI6Imh0dHA6Ly9xYS12bS04NTI2NC9Ib3N0ZWRQYXltZW50UGFnZS8iLCJleHAiOjE0NzM0ODAwMDAsIm5iZiI6MTQ3MzQyNzMzOH0.K15DrbQ4J9CURC1tpfPskJ8cRBZ9VyxycTerSZUOMYQ</a:WebPageUrl>
</GetUrlResult>
</GetUrlResponse>
</s:Body>
</s:Envelope>Â