local_library Resource

Encrypted Keypad for Virtual Terminal

SREDKey (secure reading and exchange of data) is an encrypted keypad with an LCD screen and an encrypted MagStripe reader that offers merchants a complete and reliable security solution that meets PCI-PTS certification requirements. The SREDKey ensures all data transactions are protected through secure point to point encryption (P2PE) reducing fraud and data compromise risk. These keypads are intended to improve workflow, making it easier for the merchants to process card transactions via Cybersource virtual terminals, while also simplifying and improving payment security.

encrypted keypad device

Solutions

  • ID Tech SREDKey: A keypad that enables merchants to enter customer card data securely and plugs into a Stanford issued work computer via a standard USB port
  • Bluefin P2PE Manager: A web based portal that manages SREDKey users, tracks device status / inventory, and view transaction history
  • Shared device: SREDKeys will be configured for Stanford’s environment as a whole, so they can be shared within units

Benefits

  • Improve device security: Automatically detects tampering due to malicious activity and will prevent a breach at point of entry
  • Enhance payment security: Protect the merchant environment with a validated P2PE solution which removes any risk of unencrypted (clear-text) cardholder data passing through work computers and helps reduce risk posed by malware
  • Reduce PCI DSS scope: By using an encrypted keypad, the unit is eligible for the less complicated Self-Assessment Questionnaire (SAQ) P2PE instead of the SAQ C-VT which requires annual penetration testing
  • Increase work efficiency: Due to the simplified setup, merchants may greatly reduce time spent jogging between different workstations, and/or logging into PCI servers

Process Flow

Costs 

One-time fees paid by department

  • SREDKey hardware: $236 per device + sales tax (one time)
  • Key injection: $35 per device (one time)
  • Shipping: $15 (one time)

Ongoing fees paid by Office of the Treasurer

  • P2PE device key management: $15 per device per month
  • Bluefin data decryption fee: $0.05 per transaction

How to Order

To place an order, please submit a support request to Merchant Services. It will take up to two to three weeks for the deployment. MS will arrange the pickup time / location and provide on-site training to the users. Please provide the following information:

  • Merchant account number (12 digit)
  • Cybersource account name (wfgxxxx)
  • User names and email addresses
  • # of devices needed and their respective locations 

Security Practices 

Stanford employees must use Stanford issued computers to process card payment transactions for business purposes. If they accidentally use a non-Stanford issue computer, it would create a PCI compliance violation issue that will be escalated to the University Information Security Office (ISO) for further investigation.

To access the Cybersource virtual terminal, users are only required to log into the Stanford VPN regardless of their work locations. Users no longer need to log into extra layers of PCI VPN/Virtual Desktop or use separate PCI workstations when using the encrypted keypad.

The same encrypted keypad can only be used across different Cybersource MIDs provided that each merchant account is configured to use the device by Merchant Services Admin. It will be useless for a user to plug in the device to a computer to access another web browser/program portal. 

The encrypted keypad can be connected to a Mac computer with an adapter. USB-A to USB-C adaptors should be a simple device that does not store or process card information. Using such an adaptor to connect the USB-A output cable from an encrypted keypad to the USB-C port on a Stanford issued MacBook should not pose any implications for PCI compliance. However, users should obtain the USB adaptor from a reputable source and evaluate it regularly for signs of tampering.

Merchants should treat the encrypted keypad the same way as other credit card Point-of-Sale terminals. The encrypted keypad should not be left on when connected to the SU computer and should be checked for tampering regularly.

Inspection

Users should properly document the inventory (via Bluefin P2PE manager online portal), perform periodic inspections, securely store the devices when not in use, and report any tampered devices to Merchant Services immediately.

SREKey devices should be inspected at least quarterly. Merchants should keep the inspection log that details the date and person in charge. Please refer to Bluefin P2PE Manager User Guide for detailed instructions on device inspection and tampering detection.

Refunds

The device is not necessary when refunding transactions for up to 180 days. The SREDKeypad is used when manually keying in cardholder information to process a transaction or refund over 180 days. The regular refund process is generally the same except that you no longer need to log into a PCI VPN/Virtual Desktop. To issue a refund within 180 days:

  • Log into Cybersource Enterprise Business Center
  • Locate the transaction under Transaction Search
  • Click Credit on the top upper right corner to issue full/partial refund

For more information on refunds, see Issuing Refunds to Credit and Debit Cards.

Resources

 

 

Last Updated: May 11, 2022
arrow_upward
Back to Top