In an effort to help merchants both achieve and maintain PCI (Payment Card Industry) compliance, technologies for cardholder data security have become more prevalent. Merchants should view PCI compliance as an ongoing business requirement with continuously evolving needs and mandated changes, not just a one-time, stand-alone IT issue. There is no quick-fix approach to both achieving and maintaining compliance and it is an ongoing process that begins at the strategic level. As such, it is important that merchants address both the business side (e.g., process and payment flow) and the appropriate technological counterpart. Compliance-enabling technologies are a good place to start when it comes to the latter.
A compliance-enabling technology is any product or service that assists in reducing the scope of PCI requirements. While it is not a PCI requirement and it does not replace the standards mandated by the PCI Security Standards Council (SSC), it is a long-term solution that if implemented correctly, could make it both cheaper and easier to maintain compliance. Examples include:
Masking — The use of replacement data to obscure or replace the Primary Account Number (PAN). The PCI Data Security Standard (DSS) allows you to display the first six and the last four characters of the credit card number. With the masking functionality, the middle six numbers are substituted with a string of replacement characters that can be either random or fixed. Primarily a display technology, the underlying data is still stored but is unable to be seen. This reduces the scope of PCI exposure by eliminating the display of the full PAN. The unmasked data may still be displayed to other users with a business need to know and the stored data is still subject to the PCI DSS requirements.
Virtual Terminal — With this technology, cardholder data is captured and stored at a third-party location via an authenticated web page with an SSL-encrypted communication link. A good fit for card-not-present and e-commerce environments, the Virtual Terminal solution is ideal for call centers, customer self-service and also has the built-in functionality to integrate successfully with point-of-sale terminals and/or magnetic stripe readers to support card-present payment options.
Ultimately, there is only one solution when it comes to completely eliminating the scope of PCI compliance and that is to stop accepting credit cards all together. This is not a realistic approach for merchants in today’s fast-paced payment environment who must balance customer convenience against the need for compliance within their organization. How you integrate and accommodate these technologies will depend on your business, your culture and your revenue models. Compliance-enabling technologies serve as a viable long-term solution to reduce the scope of PCI requirements and impact to your business.
Tokenization is the process of replacing the Primary Account Number (PAN) with alternative identifiers (or tokens). The card number is first passed through the interchange process via the issuing banks and payment brands as it is today. A token that replaces the card number is then returned to the merchant for use in a more secure manner — and with a reduced scope of PCI exposure. This functionality primarily addresses cardholder data storage as the cardholder number is now replaced with a character string that can be used for processing and data transmission. Thus if a breach did occur, cardholder information would not be vulnerable to exposure.
From an operational aspect, it is important that merchants understand the risk that comes with adopting tokens that closely mirror the actual card number (tokens generated using format-preserving encryption). With this, there is a potential for collision — generating a token that matches an already existing and valid card number. Consequently, tokenization service providers, including Chase Paymentech, often use a 40-character string for their tokens. The PCI SSC has just released their tokenization guidelines, which can assist you when determining the right tokenization provider.
For those merchants interested in tokenization, it is important to understand that tokenization generally occurs after authorization and therefore does not address the initial acceptance process. As a result, online merchants are still in scope for PCI during this part of the transaction process. An effective solution to minimize this exposure is to outsource it to a third-party provider via a Hosted Pay Page. Alternatively, card-present merchants can significantly reduce PCI scope by investing in a Point-to-point Encryption solution.
Hosted Pay Page (HPP) can take the form of either a separate web page or individual order fields that redirects the customer to a secure site to enter their confidential payment data securely. The page or pages have the same look and feel of the merchants' own website, but are hosted by a trusted third-party provider. In this scenario, the merchant never stores, processes or transmits cardholder data. HPP coupled with tokenization can successfully reduce PCI scope at both the acceptance and storage level. It is important that merchants realize they are still technically at risk for PCI exposure should a breach occur, even if they do not ever see a credit card number. As long as credit cards are accepted for the purchase of goods or services, the authorization and settlement process still enables the potential of a data compromise. It is therefore recommended that merchants using this combination refer to the PCI Self-Assessment Questionnaire A in order to verify their compliance status.
Point-to-point Encryption (P2PE) is a card-present compliance-enabling technology whereby the cardholder data is encrypted from the point at which the transaction is captured to the point that it reaches the acquirer for processing. However, an encrypted PAN is still considered cardholder data under PCI as long as the merchant has access to the decryption keys. P2PE reduces the scope of PCI in the merchant's environment by meeting all of the following criteria:
The cardholder data is encrypted at swipe
Decryption occurs outside the merchant environment
No decryption functionality exists within the merchant environment
Assuming all these criteria are met and no other cardholder data is stored, processed or transmitted anywhere in the merchant environment, the merchant has then successfully reduced the PCI scope.
While no process or technology can ultimately guarantee compliance, compliance-enabling technologies are excellent tools for reducing a merchant’s PCI DSS compliance scope. In addition to simplifying the difficult task of maintaining compliance over the long term, they also have the potential to reduce the cost and time required to achieve it. No process or technology can guarantee PCI DSS compliance, or remove a merchant’s responsibility for PCI DSS compliance. Merchants should always first evaluate their business processes in light of the PCI DSS requirements and eliminate cardholder data where possible. Once this has been accomplished, these technologies can be implemented as a means of significantly reducing PCI scope and adding another layer of protection to sensitive cardholder data.
David Wallace is Group Manager for Chase Paymentech’s Merchant Compliance team, managing data security compliance for Chase Paymentech’s merchant portfolio and advising merchants about the PCI standards. Wallace has served in information security management roles with NationsBank, Sabre Holdings/Travelocity, Pilgrim’s Pride and Perot Systems, and holds multiple industry certifications, including Certified Information Systems Security Professional, Certified Information Security Manager, and Certified Information Systems Auditor. He is a frequent speaker at retail industry and information security conferences. Wallace studied business administration and management information systems Louisiana State University, and holds a master’s degree in business administration from Southern Methodist University.