VeriTrans Collaborates on a PCI P2PE Solution that lets Phone and Mail-order Businesses Retain no Credit Card Information

VeriTrans Inc. (HQ: Tokyo; Representative Director and President: Hiroshi Shino; VeriTrans), a subsidiary of Digital Garage, Inc. (TSE first section: 4819; HQ: Tokyo; Representative Director, President Executive Officer and Group CEO: Kaoru Hayashi; DG) in the payment business, is collaborating with REMISE Corporation (HQ: Nagano; President: Kazuyuki Toda; REMISE), a company in the payment business. This collaboration starts in September 2018, with a new function added to VeriTrans’ credit card payment security solutions.

The new function will enable E-Commerce and mail-order business operators to enter consumers’ credit card information in their own networks from orders received via telephone, fax, postcards, and other methods. It employs an encryption security standard called “PCI P2PE”_*1.

■ Background and methods for safe payments
The amended Installment Sales Act, which was enacted in June 2018, asks all credit card merchants to properly manage credit card information and take measures to prevent their wrongful usage. The Implementation Plan for Enhancing Security Measures in Credit Card Transactions_*2 (Implementation Plan), the guiding principle to this end, asks business operators engaged in non-face-to-face sales (such as E-Commerce and mail-order sales) to conform with the non-retention of credit card information (credit card information is not passed through, processed, or stored on the business operator’s environment, such as networks or equipment), or to introduce PCI DSS_*3, an international security standard.

Looking at merchants that receive orders via telephone, fax, or postcards in the E-Commerce, TV/catalog sales, travel application, and other fields, operators often receive consumer credit card information via the telephone or a written document and enter it in work computers for payment processing. The Implementation Plan calls for the same countermeasures in this case, and defines three types of specific security measures:

1. External methods using dedicated payment terminals of a security level equivalent to CCT_*4 or higher
2. External methods using tablet devices
・Payment processing using card payment functions in a management display provided by a payment agency
・Payment processing via a merchant E-commerce website that retains no credit card information
3. Internal methods employing PCI P2PE-certified solutions

■ Outline of this solution
VeriTrans is providing its Internal PCI P2PE Solution, which conforms to item number three listed above, in collaboration with REMISE, a certification company. In this solution, information is encrypted and transmitted between the SREDKey_*5 (REMISE’s numeric keypad for entering credit card information) and REMISE’s and VeriTrans’ payment centers, and the payment is processed.

The business operator employee enters the credit card information in the numeric keypad, where it is encrypted and sent to REMISE’s payment server. The encrypted data is decrypted on the server, and then tokenized on VeriTrans’ payment server before being sent to the business operator’s server. In this way, an environment is created for payment processing using tokens between the business operator and VeriTrans, and absolutely no credit card information is handled on the business operator’s network.

【Data collaboration process】

The transmission processing is fully encrypted. Credit card information is not stored on, processed on, or passed through the business operator’s system or network, even if the card payment processing is conducted via the business operator’s order management system or work computers. Secure payments can be completed without making major changes to existing business operation processes.

This solution can be introduced with no need for system improvements at merchants that have already implemented VeriTrans4G Token Payment, VeriTrans’ payment solution. The dedicated numeric keypad has a low usage fee to keep down installation and operation costs.

■ VeriTrans’ solution for merchants’ non-retention of credit card information from phone, fax, or postcard orders
VeriTrans launched IVR Payment Solution, which retains no credit card information and can be used for credit card payments via automated voice responses rather than operators, to merchants accepting phone orders in 2012. It also offers two types of external-method solutions and an externally installed tablet device service in collaboration with PayTG, utilizing CCT-level devices provided by LINK, INC., to mail- and phone-order merchants.

This service expansion creates a group of solutions meeting all countermeasures required by the government of business operators that take mail and phone orders. Merchants that have concluded contracts with VeriTrans can choose among the four types of services according to their business structures, processes, etc.

VeriTrans will continue striving to actualize a cashless society, and support the safe transactions and security measures promoted by the government, as a company offering online payment systems that have become social infrastructure.

_{*1: PCI P2PE: A security standard for point-to-point encryption (P2PE) in which card information read by the merchant’s POI device (device for reading card data) is promptly encrypted, and the card information is protected until it arrives at the safe decryption environment.
*2: Implementation Plan for Enhancing Security Measures in Credit Card Transactions -2018-
　　https://www.j-credit.or.jp/download/news20180301l2.pdf
*3: PCI DSS: Stands for “Payment Card Industry Data Security Standard.” A global security standard for card information protection jointly formulated by international credit card brands such as Visa and JCB.
*4: CCT: Stands for “credit card terminal.” A terminal that makes credit inquiries to confirm card validity.
*5: SREDKey: A device using the PCI PTS security standard asked of payment terminals for PIN entering, meeting the SRED security requirement for immediately encrypting credit card information inside the terminal used to read it.}

【About VeriTrans 4G】 https://www.veritrans.co.jp/payment/
A next-generation, comprehensive payment solution that supports basic payments (credit cards, convenience store, and bank payments) in addition to the industry’s largest number of other methods such as electronic money, points, telecommunications carrier payments, ID payments, Union Pay, Alipay, and PayPal. In addition to this wide range of payment options, it also offers token and link-type payments (which have advanced to have better security and user friendliness), as well as highly accurate fraud detection solutions that are standard in payment systems. In this and other ways, these solutions are fully complaint with the non-retention of credit card information, and measures to prevent fraud in E-Commerce, which are asked of E-Commerce business operators in the Implementation Plan.

【About VeriTrans】 https://www.veritrans.co.jp/
A payment provider that carries out online payment initiatives for the Digital Garage Group. Recently VeriTrans has also provided face-to-face payment services, including barcode payments and POS payment solutions. The DG Group is one of Japan’s largest online payment providers. As a leader in basic social infrastructure, VeriTrans will work with DG Group member econtext to offer advice to government institutions and the credit card industry, along with speedy service that meets the needs generated by trends in business and policy. Such efforts will support the expansion of convenient solutions, along with a safe and secure environment, as required by businesses and consumers, and also contribute to creating a cashless society.

【About REMISE】 http://www.remise.jp/
REMISE launched its E-Commerce payment agency services in 2001. Recently, it proposes and offers comprehensive payment solutions for varied needs and demographics, including face-to-face payment services, marketing, and security consulting.