1. P2PE Solution Information and Solution Provider Contact … · 2020-04-13 · P2PE and PCI DSS Merchants using this P2PE Solution may be required to validate PCI DSS compliance

P2PE Instruction Manual for PCI P2PE v2.0 September 2019 © 2019 PIM Page 1

P2PE Instruction Manual

1. P2PE Solution Information and Solution Provider Contact Details

1.1 P2PE Solution Information

Solution name: Payment Fusion

Solution reference number per PCI SSC website: 2017-01112.001

1.2 Solution Provider Contact Information

Company name: Axia Technologies, Inc dba AxiaMed

Company address: 4183 State Street Santa Barbara, CA 93110

Company URL: www.axiamed.com Contact name: AxiaMed Technical Support

Contact phone number: 855-376-2942

Contact e-mail address: [email protected]

P2PE and PCI DSS Merchants using this P2PE Solution may be required to validate PCI DSS compliance and should be aware of their applicable PCI DSS requirements. Merchants should contact their acquirer or payment brands to determine their PCI DSS validation requirements.

2. Approved POI Devices, Applications/Software, and the Merchant Inventory

2.1 POI Device Details The following information lists the details of the PCI-approved POI devices approved for use in this P2PE solution. Note all POI device information can be verified by visiting: https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php

Terminal Model Number Terminal Name Hardware Version Number

Firmware Version Number PCI PTS Approval Number

iPP320 Ingenico iPP Series iPP3xx-21Txxxxx 820305 V11.xx 4-30176 iPP320 Ingenico iPP Series iPP3xx-31Txxxxx 820305 V11.xx 4-30176 iPP320 Ingenico iPP Series iPP3xx-41Txxxxx 820305 V11.xx 4-30176 iPP320 Ingenico iPP Series iPP3xx-51Txxxxx 820305 V11.xx 4-30176 iPP320 Ingenico iPP Series iPP3xx-21Txxxxx 820180 V01.xx 4-30176 iPP320 Ingenico iPP Series iPP3xx-31Txxxxx 820180 V01.xx 4-30176 iPP320 Ingenico iPP Series iPP3xx-41Txxxxx 820180 V01.xx 4-30176 iPP320 Ingenico iPP Series iPP3xx-51Txxxxx 820180 V01.xx 4-30176 iPP350 Ingenico iPP Series iPP3xx-21Txxxxx 820305 V11.xx 4-30176 iPP350 Ingenico iPP Series iPP3xx-31Txxxxx 820305 V11.xx 4-30176 iPP350 Ingenico iPP Series iPP3xx-41Txxxxx 820305 V11.xx 4-30176 iPP350 Ingenico iPP Series iPP3xx-51Txxxxx 820305 V11.xx 4-30176 iPP350 Ingenico iPP Series iPP3xx-21Txxxxx 820180 V01.xx 4-30176 iPP350 Ingenico iPP Series iPP3xx-31Txxxxx 820180 V01.xx 4-30176



iPP350 Ingenico iPP Series iPP3xx-41Txxxxx 820180 V01.xx 4-30176 iPP350 Ingenico iPP Series iPP3xx-51Txxxxx 820180 V01.xx 4-30176 iCT220 Ingenico iCT Series iCT2xx-11Txxxxx 820305 V02.xx 4-20196 iCT220 Ingenico iCT Series iCT2xx-11Txxxxx 820375V01.xx 4-20196 iCT220 Ingenico iCT Series iCT2xx-11Txxxxx 820365 V02.xx 4-20196 iCT220 Ingenico iCT Series iCT2xx-11Txxxxx 820528 V02.x 4-20196 iCT250 Ingenico iCT Series iCT2xx-11Txxxxx 820305 V02.xx 4-20196 iCT250 Ingenico iCT Series iCT2xx-11Txxxxx 820375 V01.xx 4-20196 iCT250 Ingenico iCT Series iCT2xx-11Txxxxx 820365 V02.xx 4-20196 iCT250 Ingenico iCT Series iCT2xx-11Txxxxx 820528 V02.x 4-20196

iSC250 Ingenico iSC Touch Series iSC2xx-21Txxxxx 820518 V12.xx 4-30132




iSC480 Ingenico iSC Series ISC4xx-01Txxxxx 820518 V11.xx 4-30125 iSC480 Ingenico iSC Series ISC4xx-01Txxxxx 820518 V12.xx 4-30125 iSC480 Ingenico iSC Series ISC4xx-01Txxxxx 820528 V02.xx 4-30125 iSC480 Ingenico iSC Series ISC4xx-11Txxxxx 820518 V11.xx 4-30125 iSC480 Ingenico iSC Series ISC4xx-11Txxxxx 820518 V12.xx 4-30125 iSC480 Ingenico iSC Series ISC4xx-11Txxxxx 820528 V02.xx 4-30125 iWL250 Ingenico iWL Series IWL2xx-01Txxxxx 820365 V02.xx 4-20181 iWL250 Ingenico iWL Series IWL2xx-01Txxxxx 820305 V01.xx 4-20181 iWL250 Ingenico iWL Series IWL2xx-01Txxxxx 820375 V01.xx 4-20181 iWL250 Ingenico iWL Series IWL2xx-01Txxxxx 820528 V02.xx 4-20181 iSMP Ingenico iSMP Series IMP6xx-01Txxxxx 820305v11.xx 4-30220 iSMP Ingenico iSMP Series IMP6xx-11Txxxxx 820305v11.xx 4-30220 iSMP Ingenico iSMP Series IMP6xx-02Txxxxx 820305v11.xx 4-30220 iSMP Ingenico iSMP Series IMP6xx-12Txxxxx 820305v11.xx 4-30220

A60 PAX A60-xxx-Rx5-0xxx (CTLS) 25.00.xxx 4-30320

A60 PAX A60-xxx-0x5-0xxx (No CTLS) 25.00.xxx 4-30320

A920 PAX A920-xxx-Rx5-0xxx (CTLS) 25.00.xxx 4-40215 A920 PAX A920-xxx-Rx5-1xxx (CTLS) 25.00.xxx 4-40215

A920 PAX A920-xxx-0x5-0xxx (Non CTLS) 25.00.xxx 4-40215


A80 PAX A60-xxx-Rx5-0xxx (CTLS) 25.00.xxx 4-30301


PAX Encryption Management Services PAX N/A N/A 2019-00841.002



2.2 POI Software/Application Details

The following information lists the details of all software/applications (both P2PE applications and P2PE non-payment software) on POI devices used in this P2PE solution.

Note that all applications with access to clear-text account data must be reviewed according to Domain 2 and are included in the P2PE solution listing. These applications may also be optionally included in the PCI P2PE list of Validated P2PE Applications list at vendor or solution provider discretion.

Application vendor, name and

version # POI device

vendor POI device

model name(s) and number:

POI Device Hardware & Firmware Version #

Is application PCI listed?

(Y/N)

Does application have access to clear-text account data (Y/N)

Payment Fusion Ingenico and PAX All Devices All Devices No Yes

Please note: The application BroadPOS P2PE V1.00.xx reference # 2018-00841.001 is provided by PAX Technology Details Inc. as part of the encryption services component provider agreement.

2.3 POI Inventory & Monitoring § All POI devices must be documented via inventory control and monitoring procedures, including device status

(deployed, awaiting deployment, undergoing repair or otherwise not in use, or in transit). § This inventory must be performed annually, at a minimum. § Any variances in inventory, including missing or substituted POI devices, must be reported to Axia via the contact

information in Section 1.2 above. § Sample inventory table below is for illustrative purposes only. The actual inventory should be captured and

maintained by the merchant in an external document.

The below Sample Inventory Table includes the minimum required information that must be maintained for all POI devices that are within your purview. Additional details may be added as necessary. Details for where to locate the required specifics are described below:

• “Device vendor”: Ingenico or PAX • “Device model name(s) and number”: This information is printed on sticker on the bottom of each POI device

(i.e. iPP320 or A80 for PAX) • “Device Location”: Physical address of the location of the terminal • “Device Status”: This lists the shipping/delivery status of each device (i.e. Shipped to Location, Arrived at

Location, etc.). This includes the tracking information from the shipping vendor as well. • “Serial Number or other Unique Identifier”: The serial number can be found on the sticker on the bottom of the

device, next to the Model name and number. • The merchant is responsible to adhere to their PCI DSS obligations of maintaining an accurate list of POI devices in

their environment and updating the list as when required.

Sample Inventory Table Device vendor Device model

name(s) and number: Device Location Device Status Serial Number or other Unique Identifier



Any terminal that will be decommissioned and no longer used or planned on being used by the merchant needs to be disabled. The merchant needs to contact the appropriate support representative in order to disable the terminal(s).

3. POI Device Installation Instructions

Do not connect non-approved cardholder data capture devices. The P2PE solution is approved to include specific PCI-approved POI devices. Only these devices denoted above in table 2.1 are allowed for cardholder data capture.

If a merchant’s PCI-approved POI device is connected to a data capture mechanism that is not PCI approved, (for example, if a PCI-approved SCR was connected to a keypad that was not PCI-approved):

§ The use of such mechanisms to collect PCI payment-card data could mean that more PCI DSS requirements are now applicable for the merchant.

§ Only P2PE approved capture mechanisms as designated on PCI’s list of Validated P2PE Solutions and in the PIM can be used.

Do not change or attempt to change device configurations or settings. Changing or attempting to change device configurations or settings will invalidate the PCI-approved P2PE solution in its entirety. Examples include, but are not limited to: § Attempting to enable any device interfaces or data-capture mechanisms that were disabled on the P2PE solution

POI device § Attempting to alter security configurations or authentication controls § Physically opening the device § Attempting to install applications onto the device

3.1 Installation and connection instructions

Terminal Instructions Upon receiving a terminal, the following tasks are to be completed by the merchant:

• Inspect the device package before opening it and verify the it has not been tampered with. If it has been tampered with, do not use the device and return it.

• Ensure that the serial number of the device matches the serial number on the box. • Follow the instructions included with the terminal to connect it to power and your network. • If using wireless connectivity, connect the terminal to the desired wireless network using the wireless settings

menu on the terminal. • Verify that the name on the terminal screen is the correct name before running the first transaction.

USB Ethernet Adaptor Instructions Note: The USB Ethernet Adaptor facilitates communications between the PC and credit card terminal. It does not provide any access to unencrypted PAN or SAD, which is encrypted within the terminal. Upon receiving a USB Ethernet Adaptor the following tasks are to be completed by the merchant:



• Inspect the device package before opening it and verify the it has not been tampered with. If it has been tampered with, do not use the device and return it.

• Ensure that the serial number of the device matches the serial number on the package. • Plug USB Ethernet Adaptor into workstation. • Go to Control Panel > Network and Sharing Center > Change Adapter Settings • Highlight both connections (Local Area Connection and Local Area Connection 2) > Right Click > Bridge

Connections • Wait until the Bridge is established. • Right click Local Area Connection 2 > Disable • Right click Local Area Connection > Disable • Reboot workstation • Log back into workstation • Right click Local Area Connection > Enable • Right click Local Area Connection 2 > Enable • Reconnect the Ethernet cable to the USB adapter

• Reboot credit card terminal

Note: Only PCI-approved POI devices listed in the PIM are allowed for use in the P2PE solution for account data capture.

Physically secure POI devices in your possession, including devices: § Awaiting deployment § Undergoing repair or otherwise not in use § Waiting transport between sites/locations.

3.2 Guidance for selecting appropriate locations for deployed devices Devices should be kept in a secure area that is not accessible to unauthorized personnel. Access to these devices should be limited to the minimum necessary access in order for the individual to complete the task assigned to them involving the device(s). Devices must be installed in a location that can be easily observed and monitored by an authorized individual, as well as in a location that will reduce the possibility of it being compromised. For example, the area should be well lit and easily accessible in order to prevent unauthorized removal or substitution of the device. If security cameras are installed at the location, devices should be located and/or stored in a location that is clearly visible by the cameras. It is recommended that authorized personnel confirm all devices are located in their designated areas as part of their daily checklists.

3.3 Guidance for physically securing deployed devices to prevent unauthorized removal or substitution

In order to reduce the possibility of unauthorized removal or substitution of devices, it is recommended that non-mobile devices be physically secured to the countertop or location that the device will be used and maintained so it cannot be easily removed from its location. Devices should only be moved in the event of necessary repairs or replacements. If a mobile/wireless device is being used, it is recommended that the device be stored in a physically secure and locked room when not in use. Access to this locked room should only be given to authorized individuals. Responsibility for protecting the device should be assigned to the individual that is using it. It is recommended to maintain a log of any wireless devices that are being checked in and checked out of a secure storage room.



4. POI Device Transit

4.1 Instructions for securing POI devices intended for, and during, transit

Any time merchant is placing a POI device in transit (i.e. shipping to another location or returning back to vendor), device must be shipped using a trackable method such as a private courier service or a public shipping company that provides shipping statuses. Merchant must have access to this tracking information and should receive confirmation once device has arrived at its destination. Information below provides recommendations for shipping methods.

Recommended shipping couriers: FedEx, UPS

Company address: 4183 State Street

Santa Barbara, CA 93110 Company URL: www.axiamed.com

Contact name: AxiaMed Deployment

Contact phone number: 855-376-2942 x2


Notification details: When shipping devices back to AxiaMed, please contact AxiaMed Technical Support in order to initiate the return process.

4.2 Instructions for ensuring POI devices originate from, and are only shipped to, trusted sites/locations

Merchant must only send or receive devices to/from trusted sites/locations. Authorized sites and contact information is provided below. Authorized sites to send devices: AxiaMed Corporate Office

Company address: 4183 State Street

Santa Barbara, CA 93110 Company URL: www.axiamed.com

Contact name: AxiaMed Technical Support



Procedures to confirm the device is authorized:

If the “from” address is not recognized by merchant as a trusted source, or is not from one of the authorized sites listed above, merchant should not use device until source is confirmed as a trusted location. Merchant should contact source to determine if they are a trusted location.

Procedures if device is received from untrusted or unknown source location:

If device is received from an untrusted source, or the identity of the source cannot be confirmed, merchant must return device to the sender. Merchant should NOT use device or ship to anyone other than the sender.



5. POI Device Tamper Monitoring and Skimming Prevention

5.1 Instructions for physically inspecting POI devices and preventing skimming, including instructions and contact details for reporting any suspicious activity

Additional guidance for skimming prevention on POI terminals can be found in the document entitled Skimming Prevention: Best Practices for Merchants, available at www.pcisecuritystandards.org.

How to inspect a device: Physical inspections can be performed by visually reviewing the device and looking for the addition of any labels or materials that could be used to hide any evidence of tampering on the device.

What to look for while inspecting a device a PAX A60 device:

Each terminal should be inspected to ensure that there are no missing or altered seals, manufacturer barcode labels, or screws, extraneous wiring, any suspicious objects internal and around IC card slot, incorrect or redundant keyboard overlays, or holes in the device

Front of Terminal



Left side of Terminal

Right side of Terminal



Back of Terminal



Front of Terminal







Back of Terminal



Front of Terminal







Back of Terminal

What to look for while inspecting a device an iPP3xx & iWL2xx device:

Each terminal should be inspected to ensure that there are no missing or altered seals or screws, extraneous wiring, or holes in the device. An additional method of inspection can include weighing devices upon receipt to confirm items have not been added to the device itself that would increase its weight. It is also recommended to confirm that the SIM card and/or contactless cards are located in the back panel of each device. Devices should look like the photos below:

Front of Terminal







Back of Terminal

Back of Terminal (without cover)

*All devices have contactless SIM cards

What to look for while inspecting an iSCxxx:




Front of Terminal





Back of Terminal





What to look for while inspecting an iCT2xx:


Front of Terminal







Back of Terminal



What to look for while inspecting an iiSMP:




Front of Terminal





Back of Terminal



Back of Terminal

How to monitor devices located in a remote or unattended location:

If a device is located in a remote or unattended location, video surveillance is recommended and tapes should be reviewed frequently to confirm unauthorized personnel have not entered the location or tampered with the devices. Routine check-ups should also be performed by authorized personnel to confirm devices have not been removed or tampered with. Additionally, Payment Fusion Terminal Management Console can be used to remotely monitor devices.

How to troubleshoot devices:

In order to troubleshoot a device that is not functioning properly there are a couple of steps that can be taken. The main reason a device is not functioning is because it cannot communication with the Payment Fusion cloud platform. The following instructions pertain to all models of supported terminals. Step 1. Verify Network Configurations

1. Press “Yellow 47” on terminal to view terminal network settings. Confirm whether using static IP or DHCP. (Figure 1)

2. Press “Test” (F3) and verify that the terminal is able to communicate with the various Payment Fusion services. Press “Run test (F1)” and confirm that all boxes are successfully checked. (Figure 2)

Figure 1



Figure 2

What to look for while inspecting an USB Ethernet Adaptor:

Each adaptor should be inspected to ensure that there are no missing or altered seals, extraneous wiring, or holes in the device. An additional method of inspection can include weighing devices upon receipt to confirm items have not been added to the device itself that would increase its weight. Devices should look like the photo below:

USB Ethernet Adaptor



5.2 Instructions for responding to evidence of POI device tampering

What to do if suspicious activity is detected or devices are missing or tampered with:

If you suspect that a device has been tampered with, please contact AxiaMed Support immediately to request that we deactivate the terminal. Do not install or use the device until AxiaMed has confirmed the device has not been compromised. If device is determined as being compromised, AxiaMed will process a return/exchange for the compromised device.

Company address for returning device or reporting suspicious activity:

4183 State Street Santa Barbara, CA 93110

Company URL: www.axiamed.com

Contact name: AxiaMed Technical Support



5.3 Instructions for confirming device and packaging were not tampered with, and for establishing secure,

confirmed communications with the solution provider

All devices that are shipped to you are shipped using tamper evident tape on the exterior of the package. If it appears that this tape has been removed, cut open, or tampered with any way, please use the above methods listed in Section 5.2 to alert AxiaMed Technical Support.

5.4 Instructions for confirming the business need for, and identities of, any third-party personnel claiming to be support or repair personnel, prior to granting those personnel access to POI devices.

AxiaMed will always contact the merchant before sending any AxiaMed employee or designated agent of the company to a merchant’s location to inspect, support / troubleshoot or remove devices. If a merchant receives a communication from someone claiming to be an AxiaMed employee or designated agent of the company and the merchant has doubts as to the validity of that representative, the merchant should contact AxiaMed Technical Support via the contact information in Section 1.2 above. The AxiaMed Technical Support team member will be able to confirm the validity of the representative who requested access to the merchant and their POI devices. If the representative cannot be confirmed, then access to the merchant’s facility and POI devices should be denied by the merchant.

6. Device Encryption Issues

6.1 Instructions for responding to POI device encryption failures The Payment Fusion Terminal Application uses the Ingenico OnGuard BPS encryption in order to encrypt all credit card transactions that are processed through the Ingenico terminal. For PAX devices, the Payment Fusion Terminal Application uses symmetric and asymmetric keys for encryption. Symmetric keys are used for online PIN encryption. Asymmetric keys are used for offline PIN encryption, firmware authentication and application authentication. The Payment Fusion Management Console will generate an alert if there is a device encryption failure. This alert will then be sent to a AxiaMed technician, the device will be disabled and a RMA will be issued. In the event that a merchant has not been contacted and the terminal has been disabled due to device encryption failures, the merchant should contact AxiaMed Technical Support; see section 7.1.

6.2 Instructions for formally requesting of the P2PE solution provider that P2PE encryption of account data be

stopped AxiaMed does not offer an option to stop the encryption of account data. If you have any concerns, please contact an AxiaMed Technical Support.



7. POI Device Troubleshooting

7.1 Instructions for troubleshooting a POI device

For assistance with troubleshooting, please contact us via email or phone: Contact name: AxiaMed Technical Support Contact phone number: 855-376-2942 x2 Contact e-mail address: [email protected] Guidance for troubleshooting a POI device: https://www.axiamed.com/terminalconfiguration

8. Additional Solution Provider Information

All pertinent information for the management of POI devices has been previously stated in this document.

Documents

1. P2PE Solution Information and Solution Provider Contact … · 2020-04-13 · P2PE and PCI DSS Merchants using this P2PE Solution may be required to validate PCI DSS compliance