BBS Information for Integrators

Sweden Finland Norway

Forside BBS DK > PA-DSS > BBS Information for Integrators

Guide

BBS Payment Solutions

PA-DSS Implementation Guide Information for Integrators

BBS Payment Solutions PA-DSS Implementation Guide Information for Integrators BBS Denmark A/S Author:

Torben Ellgaard Revision:

A Date: 2010-04-16 Product Scope This document covers solutions and products where the Payment Application is equivalent of applications delivered by Sagem Denmark A/S in the past. These applications are named:

• Sagem PS (PSAM solution) • Sagem GPA (other solutions).

About this Document 1.1 Scope and Validity This document provides information for integrators of the BBS Denmark Payment Application. The guidelines given in this document must be observed in order not to hinder PCI DSS compliance of the completed implementation.

Document release date: 2010-04-16 Covering the following versions of PCI requirements: PCI DSS version 1.2, launched October 1, 2008 PA-DSS version 1.2, launched October 1, 2008 The newest release of PCI requirements can be found at: https://www.pcisecuritystandards.org

This document is applicable to the following Payment Application versions listed as PA-DSS compliant on the BBS Denmark website: http://www.bbs.dk/pa-dss

This document will be reviewed at least once a year or when new versions of the require-ments or the application are released. Please contact BBS Denmark if this document appears to be out of date or doesn’t cover the version you are using.

1.2 Abbreviations API Application Programming Interface Flexi Indoor attended payment terminal offered by Sagem Denmark GPA Generic

Payment Application – framework used by Sagem Denmark to create Payment Applications for various acquirers (except for PBS) PA-QSA Payment Application QSA – authorised by PCI to perform PA-DSS evaluations of Payment Applications PAN Primary Account Number – the cardholders account number with the card issuer PCI Payment Card

Industry – Organisation founded by Visa, MasterCard, JCB, Discover Card and American Express PBS PCI DSS Data Security Standard, PCI requirements for protecting cardholder data PCI PA-DSS Payment Application Data Security Standard, PCI requirements for the Payment Application related to PCI DSS PCI SSC Security Standards Council – comity in PCI managing the requirements PED PIN Entry Device – the secure device used for PIN entry and encryption PIN Personal Identification Number PS Payment Solution – the Payment Application used with the PBS PSAM concept (PBS) PSAM Payment Security Application Module – a small SIM-like chipcard used by the Danish acquirer PBS PTS PIN Terminal Security – new PCI term for PED QSA Qualified Security Assessor – authorised by PCI to perform PCI DSS evaluations SSH Secure Shell – protocol to authenticated and encrypted login UCM Universal Controller Module – a HW platform for the Payment Application in unattended solutions 1.3 References [1] Payment Card Industry (PCI), Data Security Standard Requirements and Security Assessment Procedures Version 1.2, October 2008 [2] Payment Card Industry (PCI), Payment Application Data Security Standard Requirements and Security Assessment Procedures Version 1.2, October 2008 [3] Installation “readme” for Danish Payment Application (PS) File: Install_eng.txt [4] Installation of GPA based Payment Application File: GPA-Demo Installation and Usage verB.pdf [5] Programmers Guide for Integrators on how to use the Java Payment API File: Programmers guide for integrators.pdf [6] JavaDoc with specification of methods in the Payment API (html-document) File: interfaces.zip [7] COM Bridge for integration in Windows environment File: Sagem ComBridge Specification SP-414-0179 Rev A 090810.pdf [8] Serial Interface Layer – Protocol description File: Serial interface34_External_.pdf 1.4 Revision Log Date Changed by Description of change Revision 2010-04-16 TE Release of document after PA-DSS ap-proval of the applications A 2009-11-06 TE Document name changed to PA-DSS Implementation Guide Appendix on wipe tool add Related correction of paragraph 4.3.1 Added Chapter 7 on Key Management and key replacement. GG 2009-10-29 TE Submitted to QSA GF 2009-10-15 TE Internal review GE 2009-10-08 TE Internal review GD 2009-07-14 TE Internal review GC 2009-07-10 TE Second review GB 2009-05-20 TE Draft release for review GA Disclaimer The information contained in this document is correct to the best of our knowledge.

Information given in this document has been evaluated by a PA-QSA as part of the PA-DSS process. Statements on processes outside the payment application are given as guidelines, it is recommended that they are verified by a QSA when implementing solutions to achieve PCI DSS compliance.