Many campuses say that that ability to accept standard payment types such as credit and debit cards with OneCard is a function that they cannot live without. This includes payments at our terminals and online deposits. With the acceptance of these standard payment types come additional liability and system security concerns. I recently interviewed Joe Rogers, Heartland OneCard Director of Product Management about some of these issues.
Fred Emery: As the Director of Product Management for OneCard, you work with systems as they relate to Payment Application-Data Security Standards (PA-DSS). Can you tell me a little more about what Heartland does to comply with PA-DSS for OneCard and what training you have gone through?
Joe Rogers: The OneCard system goes through a PA-DSS certification every year. This certification is not required but it helps our clients support their Payment Card Industry (PCI) compliance. Every three years, or when credit card processing changes are made to an application, it must be audited by a Qualified Security Assessor for re-certification. I oversee all audits that the OneCard software has undergone and have had training and received certification for Internal Security Assessor from the PCI Security Council. Due to our rigorous adherence to the standards, we are able to provide OneCard as a Validated Payment Application.
Fred Emery: It seems like many campuses are concerned about security as it relates to processing credit cards. What has Heartland done to enhance security with OneCard for acceptance of credit cards?
Joe Rogers: The OneCard software contains elements to allow adherence to PCI standards such as login time outs and required password changes. OneCard also takes advantage of Secure Submit processing through Heartland. Secure Submit takes the OneWeb solution out-of-scope for using tokenization and provides a more secure environment for processing transactions.
Fred Emery: So what’s all the talk about EMV? Many campuses are asking about preparing for EMV.
Joe Rogers: EMV stands for Europay, Mastercard, and Visa. EMV is a global standard for chip cards used for credit or debit payments. You are starting to see these cards issued in the US, however, they have been issued in other countries for quite some time. In the past, the card issuer was liable for all fraudulent credit card transactions. In October 2015, the liability for fraud will shift to the merchant when a counterfeit chip card is used at a mag stripe terminal that is not capable of accepting the EMV chip. This is not related to a breach. It is referring to individual credit card transactions. This is not a mandate by the Payment Card Industry or the government but will change where the liability will lie. EMV provides a more secure environment than magnetic stripe cards.
Fred Emery: For OneCard, what is available to help campuses with EMV acceptance?
Joe Rogers: Heartland will have a solution that will leverage the PAX and Ingenico EMV PIN pad terminals for our OneCard POS terminals. This integration is a semi-integrated PIN (SIP) pad solution. This solution will provide EMV and will also include Heartland Secure. Heartland Secure is comprised of single-use tokenization, end-to end encryption (E3), and EMV. With this solution, card data is never passed through the POS system. It is encrypted at the terminal and communicated directly to Heartland where it is decrypted for processing. A token is returned instead of card data.
Fred Emery: Will the change allow campuses to be out-of-scope for acceptance at their Heartland POS terminals?
Joe Rogers: Using a separate semi-integrated terminal does take the OneCard POS out-of-scope since the data does not flow through the POS but rather communicates directly to Heartland.
Fred Emery: Will this include all of the elements of Heartland Secure?
Joe Rogers: Yes. We also back our technology with the industry’s only credit/debit card information breach warranty.
Fred Emery: Is this technology available today?
Joe Rogers: Yes. Heartland Secure has been in use for quite some time and the use of these additional security methods will be available with OneCard in the third quarter of 2015.