The fundamental difference between integrated payment architecture and semi-integrated architecture is that in semi-integrated solutions, the payment terminal communicates sensitive transaction information directly to the payment gateway or payment processor, keeping that data separate from the merchant's and ISV's systems. This is critical for developers because it shifts most of the burden of PCI compliance away from the business's application and onto the payment gateway or payment processor. The payment service provider's EMV-certified and PCI-compliant software runs on the physical payment terminal, but only transmits non-sensitive data to the business's application. The sensitive transaction data is sent directly from the payment provider's terminal application to the payment gateway or processor, and the only data that's returned to the POS application is a PCI-compliant response with non-sensitive data.

In a semi-integrated solution, the POS application initiates the transaction and prompts the cardholder to insert, tap, or swipe their card or mobile wallet. The credit card information is then encrypted and sent directly from the payment terminal to the gateway or processor, and on to the acquiring bank for authorization. The authorization approval or denial is then sent directly back through the processor to the terminal, and the terminal forwards a PCI-compliant, non-sensitive response to the POS, masking sensitive card data and any personally identifiable information (PII). This response includes data such as the approval code, the truncated card number, and depending on the configuration, the transaction token.

Understanding this transaction flow is important for developers because it keeps their applications — which become part of the POS software — out of the flow of PII and PCI-protected data. This further benefits developers and merchants because deploying this architectural pattern means they do not have to complete a full EMV certification, which requires a high level of specialized development work and can take months to complete. Instead, EMV pre-certified products can be leveraged to significantly reduce the integration time and effort.

Developers looking for code samples and integration guides for pre-certified devices can review documentation for the Ingenico and PAX Semi-Integrated Solutions. A key benefit of the Ingenico Semi-Integrated Solution is that it allows developers to code once and then work with the entire line of Ingenico Tetra devices, including the Desk 3500 and the Lane 5000, without having to make code changes for each device. The PAX Semi-Integrated Solution provides partners with the latest smart terminals from the PAX A-Series and E-Series. View details for the entire collection of compatible hardware and place an order for a test terminal on the Hardware page.

An integrated payments system has the same components as a semi-integrated solution, but — as the name implies — the components are integrated together. Specifically, the application that manages the transaction and interacts with the sensitive payment data is integrated into the POS system. This fully integrated payments software processes the payment and is often combined with other business functions including accounting, inventory, and CRM systems. In this architectural model, raw card data must travel securely through the POS, to the payment processor, and on to the bank for payment authorization. Because of this key difference, the Point of Sale application is responsible for complying with Payment Card Industry Data Security Standards (PCI-DSS). Learn more about what PCI means and review PCI-DSS requirements at pcisecuritystandards.org.

From a developer's perspective, integrated solutions can pose significant security risks. The POS software that development teams create is vulnerable to malware that hackers leverage to attempt to steal credit card information. Additionally, the entire system that developers work on must be built to comply with PCI requirements and earn approval by the PCI Security Standards Council. This means the application also needs to go through EMV certification, which requires more specialized developer effort, more time, and regulatory reviews in order to be fully PCI compliant. Finally, any subsequent changes to the POS application after initial approval require re-certification, which introduces additional compliance and regulatory factors. Semi-integrated solutions remove that burden.

Developers are increasingly becoming technology decision-makers on behalf of ISVs and merchants. For developers, leveraging semi-integrated solutions requires less programming, reduces PCI burden, and offers increased security compared to fully integrated solutions. All while providing fast and frictionless acceptance for any payment environment.