Portico Developer Guide
Encryption
Portico supports two methods of encryption for securing PAN and track information: Heartland E3 and AES using DUKPT.
Heartland E3 is an implementation of the Voltage Identity-Based Encryption methodology offered by Heartland to allow card data to be encrypted from the moment it is obtained at the POS and throughout Heartland processing. Since software is vulnerable to intrusions, this technology is hardware based. Using E3 hardware, the merchant's POS software never sees card data. It also allows the card data to remain encrypted throughout all of Heartland's systems. This not only removes intrusion threats, it also greatly reduces the scope of PCI audits on the associated merchant POS software.
AES using DUKPT key management is provided for Heartland mobile by the IdTECH card reader. This technology offers near end-to-end encryption.
TDES using DUKPT key management offers end-to-end encryption using ANSI X9.24 part 1 standard.
For transactions using any of the encryption types, additional data must be provided. The EncryptionData element must be provided including the encryption version being used as well as any additional data items required.
When using Encryption with EMV transaction requests, this may impact the formatting of the track2 equivalent data. The certification team can provide guidance.
Please note that Version 01, 02, and 04 are not supported for merchants processing on GNAP-UK.
The supported encryption versions and required data items are defined as follows:
| Version | Encryption Type | When Encrypting PAN | When Encrypting Track Data |
|---|---|---|---|
| 01 | E3 (Voltage) |
Not Supported |
The EncryptionData element must be provided with the Version set to "01". No additional elements need to be provided inside the EncryptionData element. The TrackData provided must include the full E3/Voltage device output stream. Encryption Version 01 is supported only for the Heartland E3-M1 magnetic stripe reader wedge device, functioning in keyboard emulation mode. |
| 02 | E3 (Voltage) |
Supported The CardNbr provided must only include the encrypted PAN parsed by the POS from the E3/Voltage device output stream. |
The EncryptionData element must be provided with the Version set to "02". In addition, the EncryptedTrackNumber element must be set to "1" for Track 1 data or "2" for Track 2 data, and the POS must parse the E3/Voltage device output and provide the KTB in the KTB element. The TrackData provided must only include the encrypted Track 1 or Track 2 data parsed by the POS from the E3/Voltage device output stream. |
| 03 | AES | Not Supported |
The EncryptionData element must be provided with the Version set to "03". In addition, the EncryptedTrackNumber element must be set to "1" for Track 1 data or "2" for Track 2 data, and the POS must parse the card reader output stream and provide the KSN in the KSN element. Both the KSN and the track data content must be Base-64 encoded strings. |
| 04 | E3 (Voltage) |
Supported In addition to the CardNbr, version "04" expects the CVV2 to be encrypted. The CardNbr and CVV2 provided must only include the encrypted PAN and encrypted CVV2 parsed by the POS from the E3/Voltage device output stream. |
The EncryptionData element must be provided with the Version set to "04". In addition, the EncryptedTrackNumber element must be set to "1" for Track 1 data or "2" for Track 2 data, and the POS must parse the E3/Voltage device output and provide the KTB in the KTB element. The TrackData provided must only include the encrypted Track 1 or Track 2 data parsed by the POS from the E3/Voltage device output stream. |
| 05 | TDES DUKPT |
Supported The EncryptionData element must be provided with the Version set to "05". The CardNbr must only include the encrypted PAN. If a CVV2 is provided, it should not be encrypted. |
The EncryptionData element must be provided with the Version set to "05". In addition, the EncryptedTrackNumber element must be set to "1" for Track 1 data or "2" for Track 2 data, and the POS must parse the card reader output stream and provide the KSN in the KSN element. Both the KSN and the track data content must be Base-64 encoded strings. |