VP2PE and Payment Card Industry Acronyms Revealed

What does it mean to be HIPAA, PCI Level 1, VP2PE, and QIR compliant in the world of credit card processing? Learn the lingo and know what certifications to verify when choosing a payment gateway or any solution that touches payments.


If you accept credit cards, you must comply with Payment Card Industry Data Security Standards. There’s no exception. Anyone who advises that a solution means you don’t have any responsibility is dead wrong. The PCI Security Standards Council (PCI SSC) mission is to enhance payment account data security by fostering broad adoption of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. The council sets the standards, the card brands levy penalties and fines for non-compliance.

PCI Level 1 Service Provider

If a third party entity provides services for, or on behalf of a Merchant, and those services control or could impact the security of cardholder data or of transactions that are processed, that entity is a PCI Service Provider for the Merchant and falls within the Merchant’s scope of PCI DSS compliance. For example, if you accept payments online, the payment gateway is a PCI Service Provider. Or if you use a lockbox company, they must be certified. PCI Level 1 is the most common PCI Compliance certification for a service provider. You can verify if a service provider is compliant with Visa here https://www.visa.com/splisting/searchGrsp.do. If the company you’re doing business with is not on the list, ask questions.


If a software application controls or could impact the security of cardholder data or of transactions that are processed, for PCI compliance, merchants must only use Payment Application Data Security Standards that are certified. For example, a lock box company that processes transactions or a retail point of sale system. If payments are segregated from the application, then PA DSS does not apply.  In my experience, this is a weak area for merchants because not all application providers understand their requirements; some will do the standard PCI scan and say they’re PCI Compliant, but in reality, they’re using a homegrown application to process transactions which they have not certified.


There is no Health Insurance Portability and Accountability (HIPAA) certification for service providers and it does not fall under the purview of the PCI Council. However, a PCI Service Provider may choose to engage a third party auditor to attest compliance in order to better serve merchants in industries that require HIPAA compliance.


Organizations qualified by PCI SSC as Qualified Integrator and Reseller Companies (QIR Companies) are authorized to implement, configure, and/or support validated PA-DSS Payment Applications on behalf of merchants or service providers for purposes of performing Qualified Installations as part of the QIR Program.  Level 4 merchants were a big portion of data breaches so as of January 2017, they’re mandated to only use QIR certified individuals for their implementations and maintenance.  Level 4 are merchants with less than 20,000 Visa or MasterCard e-commerce transactions annually, and all other merchants processing up to 1 million Visa or MasterCard transactions annually. QIR applies to individuals; a company may have multiple people certified.


Point-to-point encryption (P2PE) is a standard established by the PCI Security Standards Council. The objective of P2PE is to provide a payment security solution that instantaneously converts confidential payment card (credit and debit card) data and information into indecipherable code at the time the card is swiped to prevent hacking and fraud. It is designed to maximize the security of payment card transactions in an increasingly complex regulatory environment.


VP2PE is not an official acronym of the PCI Council for Validated P2PE, but it is descriptive. The P2PE Standard defines the requirements that a “solution” must meet in order to be accepted as a PCI validated P2PE solution. A “solution” is a complete set of hardware, software, gateway, decryption, device handling, etc.  Validated solutions are listed in the PCI Council web site. They reduce PCI compliance scope and burden for merchants. For example, about 35 questions vs 359, and 4 sections instead of 12.

Today there are only 42 companies with 49 validated solutions in the entire world. Some of the solutions are only valid with a particular acquirer. For merchants seeking an agnostic VP2PE solution, the list gets very small.


CenPOS, a payment technology provider, has a Health Insurance Portability and Accountability (HIPAA) attestation from a third party external auditor across a broad range of payment solutions offered by the company. CenPOS is listed as a registered Level 1 Service Provider on the Visa web site; and is listed on the PCI Council web site VP2PE solutions and QIR sections. The CenPOS Validated P2PE solution is compatible with many acquirers. You can also find me, Christine Speedy, under QIR certifications when searching by name. (CenPOS is not a software application so is not listed as PA DSS.

Christine Speedy, CenPOS Sales 954-942-0483, 9-5 ET is based out of South Florida and NY. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships. When you call Christine, there is no middle man; all agreements are direct with CenPOS. As one of the very first to sell for CenPOS, I have deep experience to help merchants understand benefits and get live fast.

What payment gateways support level 3 processing?

level 3 payment gateway chart

2014 level 3 payment gateway comparison chart. Click image for PDF.

2014 comparison chart review of payment gateways that support level III data and whether or not the gateway is independent of the merchant account. Reviewed are authorize.net, CenPOS, Paymentech Orbital, First Data e4 Global Gateway, PayTrace, Payflow Pro, 3Delta Systems (3DSI), Paymentech Orbital, and Heartland Payment Systems.

Where a check is indicated, the merchant can send level III data without any special programming or integration (except API).  However, a merchant might achieve level 3 processing in another category by using an API.

The payment channels reviewed include retail, moto, ecommerce shopping cart, electronic bill presentment & payment (EBPP), online payments (hosted web pay page), token billing (recurring), API (ERP and other software). Also indicated is whether a new merchant account is required or which merchant processors the gateway is compatible with.

2014 Level 3 Processing Omnichannel Payment Gateway Comparison Chart PDF download 1.1 MB

Certification to merchant processors, including level 3 processing:

  • CenPOS: First Data (FDC Nashville), Chase Paymentech, Vantiv, TSYS*
  • authorize.net: Chase Paymentech, FDC Compass, FDC Nashville Global , GPN, Litle, RBS WorldPay Atlanta, TSYS
  • Payflow Pro: Cielo, First Data (FDMS), Heartland, Litle, Paymentech Salem, Paymentech Tampa, Securenet, TSYS
  • Paytrace: TSYS, Paymentech Tampa, Global East, Heartland, and Trident.

* Think of TSYS as a hub that provides access for transactions (traffic via payment gateway) to many highways (processors). By going through the hub, a payment gateway can securely connect to many processors (Global, Heartland, First Data etc) with one certification. Some merchants may incur a per transaction fee for using a payment gateway that connects via TSYS; this may or may not be additional to fees already being paid.


** January 2014 Authorize.net update http://apps.cybersource.com/library/documentation/dev_guides/Level_2_3_SO_API/Level_II_III_SO_API.pdf (pg 10)

*** 2/28/2014 Payflow Pro https://www.paypalobjects.com/webstatic/en_US/developer/docs/pdf/payflowgateway_guide.pdf

DISCLAIMER: If the information was unclear or not available, the field was left blank to err on the side of caution. Contact processors or payment gateway providers for specific details about availability and functionality. 3D Merchant Services is an authorized reseller for CenPOS, and most payment gateways, in addition to other services.


MOTO: mail order, telephone order. This is a transaction indicator code for card not present transactions.

EBPP: electronic bill presentment & payment. A merchant delivers an electronic invoice to their customers. The customer then pays the invoice electronically.

LEVEL III data or level 3 data:  refers to the additional field data sent for processing Visa and MasterCard business, corporate and purchasing cards.

LEVEL III data or level 3 processing: refers to a merchant account that supports the acceptance of level 3 data and passes the data onto the issuers

What’s the difference between level 3 and level III? Nothing. In 2014, and recent documents, interchange rates are more frequently referred to as level 3. However, in older documentation and marketing materials, the requirements and other items referred to it as level III.

It’s critical to note that the CAPABILITY of sending level 3 data via a payment gateway, does NOT guarantee that the transaction will qualify for level 3 interchange rates. There are many rules, and how the gateway helps a merchant meet those rules varies widely. For a free consultation on key operational differences between level III gateways, contact us.

Article feedback is appreciated!


Partial Approvals, Partial Authorizations and Authorization Reversals

Now 2013, some merchants are experiencing issues related to the revised MasterCard and Discover 2010 Prepaid and Debit Card Requirements, particularly partial auth reversals. One reason is that some transactions received a partial approval. A partial approval occurs when a Gift Card is used (Visa/MC/AMEX prepaid cards) that have a lower balance that the requested authorization amount;  the processor approves the transaction for the amount that is left on the card. The merchant then must collect the balance with an alternative payment source such as cash or another card.

The 3 critical points of the rules change (from MasterCard):

  • Partial Approvals—Merchants can systemically conduct split-tender purchases by allowing debit card issuers (including prepaid) to systemically approve a portion of the original transaction amount in the authorization request when the transaction amount exceeds the funds available on the card. The merchant can then systemically initiate split-tender processing and obtain the remainder of the purchase amount in another form of payment.
  • Balance Response—Prepaid issuers can transmit account balance information in an authorization response, cardholders will attempt fewer purchases that exceed their available balances, leading to fewer declines at the POS.
  • Authorization Reversal—Authorization reversals will free up debit cardholders’ open to buy amounts by reducing issuer holds on available balances when transactions were not completed, therefore reducing the declines at the POS and the amount of cardholder complaints that are unpleasant for all parties involved.

At the time the rules were created, technology within various points of the payment processing ecosystem could not support the new requirement. Payment gateway and processor issues have largely been resolved at this point, but partial authorizations may still be troublesome in certain environments. For example, an ecommerce site or POS software solution may not have the logic to accept an alternate payment source. If you have an issue, the simplest immediate solution is to contact your credit cart processor and ask them to turn off partial authorizations on your merchant account.  That’s the quick fix, however, if the rules apply to your business, you may need to update your payment technology to comply. Refer to page 299 in the MasterCard Rules, updated December 2012, for more information on Full and Partial Approvals and Account Balance Responses.

About Christine Speedy, blog author. Christine is an authorized reseller for CenPOS, a cloud payment processing suite of solutions that creates numerous efficiencies for merchants. The CenPOS point of sale, mobile app, and other solutions support partial authorizations and authorization reversals.  Global Sales: Christine Speedy (954) 942-0483.