CardSecure® is the CardPointe platform's P2PE-validated encryption and tokenization solution, and is at the center of all integrated payment solutions. Whether you use a CardPointe Integrated Payments solution to securely accept card-present transactions with your integrated point-of-sale, or the Hosted iFrame Tokenizer or CardSecure API to extend secure eCommerce payments to online customers, CardSecure allows you to accept sensitive payment data securely, with reduced PCI scope.
CardSecure's patented P2PE-validated tokenization solution offers numerous secure and convenient methods for tokenizing sensitive data. A token is a hashed alphanumeric representation of sensitive data such as a credit card account number. These tokens can only be used with the CardPointe Gateway API for transaction processing.
When you submit a tokenization request, CardSecure encrypts and stores the sensitive data in a secure vault, and generates a unique token that corresponds to and represents the stored data. For example, if you capture and tokenize payment card data, the payment card number and associated track and EMV data (for card-present transactions) is stored in the database. You then use the token to represent this payment card in a transaction.
CardSecure stores and purges sensitive data in accordance with Payment Card Industry (PCI) compliance standards. However, even after a token's sensitive data has been purged, CardSecure retains a hash of the clear card number, allowing the same token to be generated any time a given card is tokenized.
Consider the following information when handling tokens:
The CardPointe Mobile SDKs seamlessly connect your iOS and Android applications to CardSecure for tokenization of customer card data. Tokens and other associated payment details are then retrieved by your server and securely transmitted to the CardPointe Gateway for authorization, using a server-side REST client.
Integrating the CardPointe mobile SDKs can help reduce your PCI scope. The SDKs provide direct tokenization methods that pass your customers' sensitive card data to CardSecure without ever sending the clear or unencrypted card data to your server.
The token returned from this process is not considered card data; therefore, as the token moves between your client application and your application server, the token does not bring any of those systems or data paths into scope for PCI security controls.
See the following guides for more information and integration details:
CardSecure allows merchants the flexibility to accept their own proprietary, closed loop gift cards for customer purchases. If you want to include closed loop gift cards in your accepted payment methods, review the following information to get started.
Before you begin, check with your gift card printer to verify that your gift cards meet the following requirements:
The following example illustrates track data that meets these requirements:
6765109987992410=991270225?
If you currently use gift cards that do not meet all of these requirements, or if they are in a different BIN range, you will not be able to accept those gift cards.
Before you can begin to accept gift card payments, you must provide the BIN range used to identify your gift cards. We use this information to whitelist the specific BIN range, allowing CardSecure to return unencrypted clear text data to your point-of-sale software.
Contact Support to get started.
The BIN range that you provide must be unique, and must not overlap any other BIN range or conflict with any card brand BINs.
When a customer purchases a gift card, the merchant initiates an authorization request using the customer's payment card. The authorization response data can then be used to update the merchant's ledger to include the transaction amount, the total amount added to the gift card, the quantity of gift cards, issued gift card numbers, and any additional identifying information for the transaction.
When a customer presents a gift card for payment, the payment request process is similar to accepting a credit or debit card payment.
Depending on your business needs, you can use a CardPointe Integrated Terminal to accept card-present gift card payments in person, or you can integrate CardSecure to allow customers to use gift cards to make payments on your website or mobile application.
If you are using a CardPointe Integrated Terminal to process payments, you can use a readCard or readManual request to initiate a gift card transaction. When the gift card is swiped or manually entered at a terminal, the terminal matches the BIN with the range of BINs for your gift cards and returns an unencrypted clear text card number, which your point-of-sale software uses to complete the transaction.
If your software directly integrates CardSecure, using the CardSecure API, Hosted iFrame Tokenizer, or CardPointe Mobile SDKs, your software passes the gift card number to CardSecure, which matches the BIN with the whitelisted BIN range and returns the unencrypted card number, which your software uses to complete the transaction.
Notes:
Because these gift card transactions take place within a closed loop, no settlement or funding data is passed to an issuing bank. Instead, it is the merchant or partner's responsibility to manage gift card transaction and funding data. By integrating the CardPointe Gateway API and CardPointe Integrated Terminal API, your software can retrieve the data necessary for you to manage your general ledger, and to ensure that funds are transferred from the gift card to the merchant.
This guide provides information for tokenizing data gathered using an interactive voice response (IVR) telephone system.
Interactive voice response (IVR) systems are used to capture payment and personal information from customers using a telephone keypad or voice recognition. If your business uses an IVR system to capture sensitive data, you can integrate the CardSecure API with your solution to securely encrypt and tokenize the data and the CardPointe Gateway API to use the token to process a payment.
To tokenize data captured from an IVR system, your integration must meet the following requirements:
"ecomind" : "T" to specify that the payment source is "telephone."The following workflow describes a typical process for capturing cardholder data with an IVR system, tokenizing the data, and processing a payment: