Insight for Retailers: Compliance-enabling Payment Technologies

In an effort to help merchants both achieve and maintain Payment Card Industry (PCI) compliance, technologies for cardholder data security have become more prevalent. Merchants should view PCI compliance as an ongoing business requirement with continuously evolving needs and mandated changes, not just a one-time, standalone IT issue. There is no quick-fix approach to both achieving and maintaining compliance and it is an ongoing process that begins at the strategic level. As such, it is important that merchants address both the business side (e.g. process and payment flow) and the appropriate technological counterpart. Compliance-enabling technologies are a good place to start when it comes to the latter.

A compliance-enabling technology is any product or service that assists in reducing the scope of PCI requirements. While it is not a PCI requirement and it does not replace the standards mandated by the PCI Security Standards Council (SSC), it is a long-term solution that if implemented correctly, could make it both cheaper and easier to maintain compliance.

Examples include:

Masking

The use of replacement data to obscure or replace the primary account number (PAN). The PCI Data Security Standard (DSS) allows you to display the first six and the last four characters of the credit card number. With the masking functionality, the middle six numbers are substituted with a string of replacement characters that can be either random or fixed. Primarily a display technology, the underlying data is still stored but is unable to be seen. This reduces the scope of PCI exposure by eliminating the display of the full PAN. The unmasked data may still be displayed to other users with a business need to know and the stored data is still subject to the PCI DSS requirements.

Virtual Terminal

With this technology, cardholder data is captured and stored at a third-party location via an authenticated web page with an SSL-encrypted communication link. A good fit for card-not-present (CNP) and e-commerce environments, the virtual terminal solution is ideal for call centres, customer self-service and also has the built-in functionality to integrate successfully with point-of-sale (POS) terminals and/or magnetic stripe readers to support card-present payment options.

Ultimately, there is only one solution when it comes to completely eliminating the scope of PCI compliance and that is to stop accepting credit cards all together. This is not a realistic approach for merchants in today’s fast-paced payment environment who must balance customer convenience against the need for compliance within their organisation. How you integrate and accommodate these technologies will depend on your business, your culture and your revenue models. Compliance-enabling technologies serve as a viable long-term solution to reduce the scope of PCI requirements and impact to your business.

Tokenisation is the process of replacing the PAN with alternative identifiers (or tokens). The card number is first passed through the interchange process via the issuing banks and payment brands as it is today. A token that replaces the card number is then returned to the merchant for use in a more secure manner – and with a reduced scope of PCI exposure. This functionality primarily addresses cardholder data storage as the cardholder number is now replaced with a character string that can be used for processing and data transmission. Thus if a breach did occur, cardholder information would not be vulnerable to exposure.

From an operational aspect, it is important that merchants understand the risk that comes with adopting tokens that closely mirror the actual card number (tokens generated using format-preserving encryption). With this, there is a potential for collision – generating a token that matches an already existing and valid card number. Consequently, tokenisation service providers often use a 40-character string for their tokens. The PCI SSC has just releasd its tokenisation guidelines, which can assist you when determining the right tokenisation provider.

For those merchants interested in tokenisation, it is important to understand that tokenisation generally occurs after authorisation and therefore does not address the initial acceptance process. As a result, online merchants are still in scope for PCI during this part of the transaction process. An effective solution to minimise this exposure is to outsource it to a third-party provider via a hosted pay page (HPP). Alternatively, card-present merchants can significantly reduce PCI scope by investing in a point-to-point encryption (P2PE) solution.

HPP can take the form of either a separate webpage or individual order fields that redirects the customer to a secure site to enter their confidential payment data securely. The page or pages have the same look and feel of the merchants’ own website, but are hosted by a trusted third-party provider. In this scenario, the merchant never stores, processes or transmits cardholder data. HPP coupled with tokenisation can successfully reduce PCI scope at both the acceptance and storage level. It is important that merchants realise they are still technically at risk for PCI exposure should a breach occur, even if they do not ever see a credit card number. As long as credit cards are accepted for the purchase of goods or services, the authorisation and settlement process still enables the potential of a data compromise. It is therefore recommended that merchants using this combination refer to the PCI self-assessment questionnaire A in order to verify their compliance status.

P2PE is a card-present compliance-enabling technology whereby the cardholder data is encrypted from the point at which the transaction is captured to the point that it reaches the acquirer for processing. However, an encrypted PAN is still considered cardholder data under PCI as long as the merchant has access to the decryption keys. P2PE reduces the scope of PCI in the merchant’s environment by meeting all of the following criteria:

  • The cardholder data is encrypted at swipe.
  • Decryption occurs outside the merchant environment.
  • No decryption functionality exists within the merchant environment.

Assuming all these criteria are met and no other cardholder data is stored, processed or transmitted anywhere in the merchant environment, the merchant has then successfully reduced the PCI scope.

Conclusion

While no process or technology can ultimately guarantee compliance, compliance-enabling technologies are excellent tools for reducing a merchant’s PCI DSS compliance scope. In addition to simplifying the difficult task of maintaining compliance over the long term, they also have the potential to reduce the cost and time required to achieve it. No process or technology can guarantee PCI DSS compliance, or remove a merchant’s responsibility for PCI DSS compliance. Merchants should always first evaluate their business processes in light of the PCI DSS requirements and eliminate cardholder data where possible. Once this has been accomplished, these technologies can be implemented as a means of significantly reducing PCI scope and adding another layer of protection to sensitive cardholder data.

12 views

Related reading