All P2PE Data is Available from the API
For our partnered PCI Validated Solution Providers, POS Portal provides comprehensive P2PE deployment data that can seamlessly integrate into any solution. The available data completes the full circle POS Chain of Custody required by the PCI Security Council.
Currently, all data about each order and payment device shipped from POS Portal is available through our web API. This includes devices ordered and shipped under a PCI validated P2PE solution. Orders placed for PCI Validated P2PE secure payment devices, as affirmed and designated by POS Portal’s Product Administration team, are considered P2PE orders, and as such, will have additional data available for our partners to access via the web API.
The Deployed Equipment Resource
The POS Portal web API includes a “Deployed Equipment” resource (/deployedEquipment). This resource allows customers to get data for all devices shipped by POS Portal, whether or not the device was shipped under a P2PE solution. Using the Deployed Equipment resource, customers can retrieve lists of devices using any combination of the following query parameters:
This parameter will return all devices shipped within a specific POS Portal Order.
This parameter will return all devices shipped to a specific merchant.
This parameter will return all devices shipped within a specified date range.
This parameter will return a device which matches the specified serial number.
This parameter (Boolean) will return all devices shipped under a PCI Validated P2PE solution.
This parameter will return all devices which are currently in the field and have not been returned to POS Portal.
These query parameters may be used in any combination. For example, if you want to get a list of all P2PE devices shipped in the last week, you would submit a GET request to the Deployed Equipment resource as follows:
Such calls to the Deployed Equipment “collection” resource will return a set of Deployed Equipment records which will be filtered according to the query parameters provided. These sets will be “paginated”, meaning that for performance reasons, a maximum of 500 records can be returned in any single response. If a query to the collection resource has a count of more than 500 available records, the response will include 500 records, along with links to query subsequent sets of up to 500 records. The consuming system can use these links to iterate through these paginated requests and responses to get the entire set of data desired.
Each Deployed Equipment record, whether or not it was shipped under a PCI Validated P2PE solution, will include the following fields:
List of Fields
Deployed Equipment ID
This is simply an integer which uniquely identifies the particular Deployed Equipment record.
The date and time the Deployed Equipment record was created. This is usually the date that the original deployment order was submitted.
The date and time that the device was shipped from POS Portal.
The ID of the order on which the device was shipped. Order IDs can be obtained from the Orders resource using a variety of query parameters.
The ID of the merchant to whom the device was shipped. Merchant IDs can be obtained from the Merchants resource using a variety of query parameters.
The ID of the product which represents the device. Product IDs can be obtained from the Products resource using a variety of query parameters.
The name of the product which represents the device.
The serial number on the device.
This is a Boolean which indicates whether the device is still in the field (true) or has been returned to POS Portal (false).
This is a Boolean which indicated whether the device was deployed under a P2PE solution.
If a Deployed Equipment record was deployed under a P2PE solution, the record will also contain the following information:
Additional Fields for P2PE Records
List of Events
If a device was deployed under a PCI Validated P2PE solution, the Deployed Equipment record will include a list of “Equipment Events”. These events include a chronology of chain-of-custody and configuration details which describes “who touched the device and what they did to it” while it was in POS Portal’s control. Each event record includes the following fields:
- Date and Time of the Event
- Type of Event
- Description of the Event
- ID of the User who performed the Event
- ID of the Entity on whose behalf the Event was performed
If a device was deployed under a PCI Validated P2PE solution, the Deployed Equipment record will include a list “Tamper-Evident Bags”. These records include detailed information about the tamper-evident bag into which the payment device was placed prior to shipment. Each tamper-evident bag record includes the following fields:
- Date and Time the device was placed into the tamper-evident bag
- Serial Number on the tamper-evident bag
- Product ID of the tamper-evident bag (POS Portal may use different styles of bags for different classes of payment devices)
- Name of the tamper-evident bag product (this describes the type of bag that was used)
- ID of the user who placed the device into the tamper-evident bag
- Boolean (true or false) which indicates whether this bag is the current (or most recent) tamper-evident bag used for the device
This information exposes the detail about all tamper-evident bags used for the device when shipped under a PCI Validated P2PE solution.
This information exposes the complete chain-of-custody and configuration history of the device while it was in POS Portal’s control.
In summary, POS Portal’s web API provides all of the necessary data about deployed payment devices for our partners to meet the Domain 6 needs of their PCI Validated P2PE solutions. Complete documentation for the API can be found on the developer website.