A conversation with Heartland OneCard's director of product management
EMV and the impending liability shift remains a topic of discussion in higher ed. To help shed some light on the subject Heartland’s Fred Emery recently sat down with Joe Rogers, Heartland OneCard director of product management, to talk EMV and the considerations that go along with the technology’s impending arrival on campus.
As Emery explains in his column, for a number of Heartland OneCard campuses, accepting standard payment types, like credit and debit cards via the OneCard is a vital, core function. These transactions can include everything from payments at a POS terminal to online deposits. With the acceptance of these standard payment types comes additional liability and system security concerns, so Emery posed the following questions:
As the Director of Product Management for OneCard, you work with systems as it relates to Payment Application-Data Security Standards (PA-DSS). Can you tell me a little more about what Heartland does to comply with PA-DSS for OneCard and what training you have gone through?
Rogers: The OneCard system goes through a PA-DSS certification every year. This certification is not required but it helps our clients support their Payment Card Industry (PCI) compliance. Every three years, or when credit card processing changes are made to an application, it must be audited by a Qualified Security Assessor for re-certification. I oversee all audits that the OneCard software has undergone and have had training and received certification for Internal Security Assessor from the PCI Security Council. Due to our rigorous adherence to the standards, we are able to provide OneCard as a Validated Payment Application.
It seems like many campuses are concerned about security as it relates to processing credit cards. What has Heartland done to enhance security with OneCard for acceptance of credit cards?
Rogers: The OneCard software contains elements to allow adherence to PCI standards such as login time outs and required password changes. OneCard also takes advantage of Secure Submit processing through Heartland. Secure Submit takes the OneWeb solution out-of-scope for using tokenization and provides a more secure environment for processing transactions.
So what’s all the talk about EMV? Many campuses are asking about preparing for EMV.
Rogers: EMV stands for Europay, Mastercard, and Visa. EMV is a global standard for chip cards used for credit or debit payments. You are starting to see these cards issued in the US, however they have been issued in other countries for quite some time. In the past, the card issuer was liable for all fraudulent credit card transactions. In October 2015, the liability for fraud will shift to the merchant when a counterfeit chip card is used at a mag stripe terminal that is not capable of accepting the EMV chip. This is not related to a breach. It is referring to individual credit card transactions. This is not a mandate by the Payment Card Industry or the government but will change where the liability will lie. EMV provides a more secure environment than magnetic stripe cards.
For OneCard, what is available to help campuses with EMV acceptance?
Rogers: Heartland will have a solution that will leverage the PAX and Ingenico EMV PIN pad terminals for our OneCard POS terminals. This integration is a semi-integrated PIN (SIP) pad solution. This solution will provide EMV and will also include Heartland Secure. Heartland Secure is comprised of single-use tokenization, end-to end encryption (E3), and EMV. With this solution, card data is never passed through the POS system. It is encrypted at the terminal and communicated directly to Heartland where it is decrypted for processing. A token is returned instead of card data.
Will the change allow campuses to be out-of-scope for acceptance at their Heartland POS terminals?
Rogers: Using a separate semi-integrated terminal does take the OneCard POS out-of-scope since the data does not flow through the POS but rather communicates directly to Heartland.
Will this include all of the elements of Heartland Secure?
Rogers: Yes. We also back our technology with the industry’s only credit/debit card information breach warranty.
Is this technology available today?
Rogers: Yes. Heartland Secure has been in use for quite some time and the use of these additional security methods will be available with OneCard in the third quarter of 2015.