My interview in “The Paypers” brought up several questions on the technical background of our mPOS solution. A lot of people out of the community want to know technical and procedural details which generally define every mPOS setup.
So here we go: We start with a brief introduction to our set-up:
As you may know, our PCI-DSS level 1 certified products, i.e. our multi-channel platform-as-a-service, as well as our payment network include the guarantee of pure processing – no politics. You, as a payment provider, freely decide where you want to process transactions to, and maybe also, which ones you want to receive. And even better – you also decide how! Ecommerce, mCommerce, MOTO, mPOS etc. – all in the same cloud, all in the same platform!
Our active-active datacenters in London (both are actively processing transactions and are synchronized in real time) is completely virtualized – e.g. modules, services, transactions, analysis or the complete product offering. Everything is highly available, scalable and completely flexible.
mPOSis one of these flexible modules attached to the platform opening new channels for our clients to send and/or receive transactions. mPOS is embedded easily into the providers’ existing set up. Further, clients are not bound to any acquirer, bank or hardware manufacturer on a technical level. It remains your decision.
You might ask: Why is that special?
Pose this question to your technical department or the provider you chose to run your mPOS setup with. I am curious to learn their answer.
mPOS – as compared to eCommerce – is complex. For instance, the PCI Council, Visa and Mastercard have already published certifications and guidelines on how they want mobile transactions to be processed. Keywords are: Chip&PIN, Point-to-Point Encryption (P2PE), ADVT and M-TIP.
To adhere to these requirements and certifications, one has to integrate certified PED (PIN entry devices) and HSM (hardware security modules) to the setup. The certifications demand:
a) the secure point-to-point encrypted transmission of cardholder data in the payment process…and…
b) the implementation of multiple processes that ensure P2PE compliance of hardware handling and key management – which is also affecting the device delivery process on manufacturer side and the device management processes and technology on the payment provider side.
Now, back to “what do we offer”:
Our HSM setup, based on Futurex HSMs and Load-Balancers, is completely integrated into our cloud payment platform to be used as a module, fully redundant and distributed over 3 different locations and is – nothing new at PAY.ON – centrally monitored and managed. HSM handling, mPOS processing, and manufacturer processes are already now P2PE compliant and our PCI P2PE certification process is ongoing.
The terminal (PED – PIN entry devices) management is standardized to guarantee free choice of the mPOS device you prefer. No lock to manufacturer delivery times and rates. Also included is automated key management. We take care of the key handling beginning with manufacturer assembly tasks, where a unique certificate is irrevocable integrated in the terminals fixing the relationship of the terminal, to the payment provider. After the first boot of the terminals, the keys and terminal management is automatically injected to allow immediate usage of the PEDs. The terminal management application allows payment providers to set floor limit, action codes or black- and whitelists online.
Last but not least:
Our worldwide network to banks and acquirers: We take care of the technical integration allowing you to send mPOS to the bank or acquirer you prefer and not to the one your “whitelabel” provider suggests. Integration, ADVT and M-TIP certification and other technical parts are handled by us – you can focus on your business.
So, this is how we do it. Please continue to contact us for any further questions. We will be happy to answer them. Follow our blog, more mPos as well as other interesting topics will be published soon.