Overview
Suite Solution

Suite Solution Overview

The Suite Solution focuses on providing functional components for your payment acceptance solution.

The core component includes:

ComponentAsDescription
White-label App SDKAndroid SDKCustomizable SDK for integrating payment functionalities into existing applications
White-label AppAndroid ApplicationReady-to-deploy android app with basic pre-built app features
POS APIInterface for POS IntegrationAPIs and integration modes for POS systems to integrate with the White-label App
Service APIInterface for MMS and TMSAPIs and integration mode for customer's MMS and TMS
Gateway ServiceBackend ServiceBackend service for processing the payment data with different designated payment hosts
Merchant Management Service (MMS)Backend Service & Web PortalTools and services for manage and provision the merchant, transaction history and reports for your operation team
Cryptographic Management Service (CMS)Backend ServiceService to manage cryptographic keys
Attestation and Monitoring Service (AMS)Backend ServiceService to provide comprehensive monitoring and attestation functions for the SoftPOS solution.

White-label App SDK

  • Abstract away the underneath integration with CPoC/ MPoC SDK.
  • Provide simplified interface to your app to initiate payment request.
  • Offer composable and customizable UI components to match your brand's look and feel.
  • Ensure compliance with major payment and security standards.

White-label App

  • A fully functional Android application ready for deployment.
  • Pre-integrated with major payment gateways and processors.
  • Include user-friendly interfaces for a smooth merchant experience.
  • Support real-time transaction history.
  • Can be customized and branded as per your requirements.
  • Support multiple payment methods, including credit and debit cards, mobile wallets, and QR code payments.

WL App PNG

POS API

  • Expose interface for POS systems integration.
  • Launch mode includes android app-to-app call (Intent) or via RESTFUL API in local network.
  • Work out-of-the-box for the MineSec White-label SoftPOS App.

Service API

MineSec provides Service API for CUSTOMERs to perform:

  • Merchant onboarding
  • Transaction query
  • Acquirer profile setup
  • Terminal and EMV configuration
  • Terminal management
  • Settlement
  • Synchronise transaction data to CUSTOMER’s Merchant Management Service (MMS) and Terminal Management Service (TMS)

Gateway Service

The Gateway Service is a lightweight backend module designed to facilitate seamless integration for constructing payment messages to acquiring hosts or designated payment gateways. It focuses on minimal APIs and surface area, ensuring efficient and robust gateway integration.

Key features of the Gateway Service include:

Modern Asynchronous Server Framework: Built using a modern asynchronous server framework, the Gateway API offers numerous benefits and robust features, ensuring a reliable and efficient integration experience.

Message Processing: This module is responsible for constructing and processing messages with the designated Acquirer Host(s) for all payment transactions. It supports various message formats, including ISO8583, JSON, and XML. Other acquirer host message formats can also be supported with additional charge.

Flexibility: The Gateway Service is designed to process transactions with multiple hosts. For example, it can be configured to process Visa and Mastercard transactions via one payment gateway, such as the Mastercard Payment Gateway, while processing Amex transactions with the AMEX GCAG interface. Additionally, the Gateway module supports QR code payments in both synchronous and asynchronous modes.

Unified Interface: Even with multiple acquiring hosts integrated, the Gateway Service maintains a unified interface and data model. This means regardless of the acquiring host or payment type (e.g., card-based or QR code), the interface and data model remain consistent, simplifying the integration process and reducing complexity for developers.

Merchant Management Service (MMS)

The Merchant Management Service (MMS) is a comprehensive backend module designed to handle various aspects of merchant and credential management, device provisioning, and daily operation task like transaction reporting. Key features of the MMS include:

Credential Management: The MMS manages credentials for the White-label Application (WL APP) and user login via the web portal, ensuring secure access and authentication.

Merchant Management: Provides tools for managing merchant accounts, including registration and payment configuration.

Device Provisioning: Handles the provisioning of devices, including MID (Merchant ID) and TID (Terminal ID) assignments, ensuring each device is correctly configured for operation.

Transaction History and Reporting: Maintains a comprehensive transaction history and provides detailed reporting capabilities, allowing your operation team to review and analyze transaction data.

Web UI Portal: An optional web UI portal is available for operators to manage merchant and device provisioning through an intuitive interface. This portal simplifies the management process by providing a user-friendly way to configure and control various aspects of merchant operations.

RESTful API: For those who prefer to integrate or develop their own solutions, the MMS offers a RESTful API. This API provides full access to the functionality of the MMS, enabling seamless integration with other systems and custom applications.

MMS PNG

Attestation and Monitoring Service (AMS)

MineSec's Attestation & Monitoring Service (AMS) provides comprehensive monitoring and attestation functions for the SoftPOS solution. This module ensures that the SoftPOS complies with the PCI MPoC security standards and offers robust lifecycle management for the MineSec CPoC/ MPoC SDK.

Key features of the AMS include:

Compliance Assurance: The AMS ensures that SoftPOS applications comply with PCI MPoC security standards, which is crucial for secure and compliant payment processing. It monitors and verifies that applications adhere to these standards throughout their lifecycle.

Lifecycle Management: Provides robust lifecycle management for the CPoC/MPoC SDK, includes compliance checks to ensure continuous adherence to PCI security standards.

Certified PCI MPoC Service: The AMS is a PCI MPoC-certified Attestation and Monitoring Service, guaranteeing that it meets the stringent requirements set by PCI for monitoring and attesting the security and compliance of payment applications. This certification reassures CUSTOMERs of the highest level of security and compliance.

Real-Time Monitoring and Alerts: The AMS continuously monitors the SoftPOS instance in real-time, providing alerts and mitigation for any security issues. This proactive approach helps in quickly addressing and resolving potential threats.

Tamper Detection and Response: Incorporates advanced tamper detection mechanisms to identify any unauthorized modifications or breaches.

Detailed Reporting: Offers detailed reporting capabilities, providing insights into the security and compliance status of the SoftPOS applications. These reports can be used for audits and to ensure ongoing adherence to PCI security standards.

Cryptographic Management Service (CMS)

The Cryptographic Management Service (CMS) is a crucial component of the MineSec Suite Solution, designed to handle complex cryptographic operations necessary for secure payment processing. Here are the key aspects of the CMS:

PCI MPoC Solution and PIN Compliance

PCI PIN compliance is required for PCI MPoC solution deployed in countries required PIN entry during transactions. A PCI PIN Attestation of Compliance (AoC) is required during the MPoC solution certification evaluation in such case. This PCI PIN AoC scope should cover the PIN processing and Remote Key Distribution (RKD) using asymmetric keys.

Achieving PCI PIN certification is challenging and often a significant roadblock for CUSTOMERs who have never undertaken this process. It involves extensive security evaluations, setting up complianxw infrastructure, and investing in payment-grade Hardware Security Modules (HSMs) along with operational and process compliance.

To expedite time-to-market and ease the burden on our CUSTOMERs, MineSec offers the CMS in SoftPOS-as-a-Service (SaaS) deployment. This service is PCI PIN compliance, providing solutions for PIN translation and RKD. The CMS integrates seamlessly with the MineSec MPoC SDK and supports key export and import operations.

CMS can be deployed on-premises. CUSTOMERs are required to provide HSMs and PCI PIN AoC for PCI MPoC Solution deployment.

Key Functions and Capabilities

  • PIN Translation: During transaction processing, PIN translation can be done via the CMS. It supports format 4 to format 0 Encrypted PIN Block (EPB) translation and vice versa.
  • RKD Integration: The MineSec MPoC SDK is integrated using the CMS Remote Key Distribution component, ensuring secure key distribution to applications.
  • Key Export and Import: The CMS supports the export and import of cryptographic keys, providing flexibility and compatibility with various systems and requirements.

Key Groups in CMS

The CMS manages two primary groups of keys:

  1. SoftPOS Application Keys: The CMS automatically distributes payment keys to the MPoC Application following application registration and activation.
  2. Acquirer Encryption Keys: Once imported into the CMS, these keys can perform PIN block translation under the PCI PIN infrastructure before being sent to the acquiring host.

Key Management

CUSTOMERs are expected to share the Acquirer/Bank PIN key to MineSec for key injection and translation, if PIN support is required. For Tap to Phone and Tap on Phone Pilot programs, please refer to the following diagram for key injection and translation. Key Management PNG

Supported key management scheme

Key ManagementDescription
DUKPT TDES, AES CARD BDK (opt.) , PIN BDKBDK is generated from acquirer side; the 3 key components of each key should be shipped to MineSec’s three key custodians via couriers or email.
Fixed Key (TDES, AES) CARD Key(opt.), PIN KeyFixed Key is generated from acquirer side; the 3 key components of each key should be shipped to MineSec’s three key custodians via couriers or email.
TDES / AES MK/SK (ZMK, TMK, TPK X9.17) CARD(opt.) /PINZMK is generated from acquirer side; the 3 key components of each key should be shipped to MineSec’s three key custodians via couriers or email.

Note: Card data protection is not a mandatory item as long as the communication channel is a secure channel (e.g. TLS, Https, VPN etc.).

Hardware Secure Module (HSM)

The MineSec Suite Solution offers a PCI PIN compliance infrastructure, which is especially critical for secure transaction processing. Here are the details regarding the HSM requirements based on the deployment model:

SaaS Deployment Model

When the MineSec Suite Solution is consumed via a SoftPOS-as-a-Service (SaaS) deployment model, MineSec provides the PCI PIN compliance infrastructure. As a result, CUSTOMERs are not required to supply any HSMs.

On-Premise Deployment Model

For on-premise deployments of the MPoC, Tap to Phone, and Tap on Phone solutions, CUSTOMERs are expected to provide two sets of hardware HSMs. The following details outline the necessary requirements and configurations:

  • HSM Model: Thales 10K
  • Minimum Firmware Version: 1.6a and above
  • Required Licenses:
    • HSM9-LIC007: AES Algorithm
    • HSM9-LIC002: RSA Algorithm
  • Key Management Component: Classic Key Management Component (PS10-CLA-xx)
  • Important Settings:
    • LMK (Local Master Key) should be generated as Key Block LMK

MineSec may support other models of HSM with an additional development charge. Please contact your MineSec Sales representative for more details. For on-premise deployment, the CUSTOMERs are also required to provide the PCI PIN Attestation of Compliance (AoC), which is necessary for the MPoC Solution Provider evaluation. By adhering to these requirements and configurations, CUSTOMERs can ensure a secure and compliance deployment of the MineSec Suite Solution, whether in a SaaS or on-premise model.

Merchant Onboarding

CUSTOMERs are expected to provide merchant information e.g. MID/TID, merchant logo to MineSec Merchant Management Service (MMS) before the merchant can proceed with any SoftPOS transaction. Merchant information can be manually input in MMS or via the Service API.

Merchant Onboarding PNG

Certification and Compliance

MineSec White-label Suite Solution is PCI CPoC and PCI MPoC (Isolated SDK and Attestation & Monitoring Service Provider, with PIN support) certified. The Solution is also certified by Visa and Mastercard’s Tap on Phone (TOP) and Tap to Phone (TTP) pilot program.

L2 Kernels

MineSec Suite Solution supports the following L2 Kernels:

  • Visa
  • Mastercard
  • UnionPay
  • AMEX
  • Diners
  • Discover
  • JCB
  • PURE
  • RuPay
  • MyDebit
  • CPACE

Visa and Mastercard L2 Kernels are provided out of the box in the MineSec Suite Solution. Additional cost is required for enabling additional L2 Kernels. Please contact your MineSec Sales representative for more details.

Deployment

SoftPOS-as-a-Service (SaaS)

MineSec provides a SaaS model in which all our backend modules are hosted in AWS Cloud with multi-region support. If CUSTOMERs deploys MPoC, CPoC, Tap to Phone or Tap on Phone with our SaaS model, using our WL APP or WL APP SDK, NO ADDITIONAL certification is required.

On-premise

MineSec backend software can be installed on CUSTOMER’s data center or CUSTOMER’s AWS Cloud environment. All modules will be delivered as a Docker image. We require 2 hardware for each module for High Availability setup. CUSTOMERs are required to provide remote access to MineSec for the installation. Additional charge is required for on-site installation.

For on-premise deployment, CUSTOMER’s data center or AWS environment MUST BE PCI DSS Compliance.

Technology Solution