In an effort to help merchants both achieve and maintain payment card industry (PCI) compliance, technologies for cardholder data security have become more prevalent. Merchants should view PCI compliance as an ongoing business requirement with continuously evolving needs and mandated changes, not just a one-time, stand-alone IT issue.
There's no quick-fix approach to both achieving and maintaining compliance. It's an ongoing process that begins at the strategic level. Retailers must address both the business side (i.e., process and payment flow) and the appropriate technological counterpart. Compliance-enabling technologies are a good place to start when it comes to the latter.
A compliance-enabling technology is any product or service that assists in reducing the scope of PCI requirements. While it's not a PCI requirement and it doesn't replace the standards mandated by the PCI Security Standards Council (PCI SSC), it is a long-term solution that if implemented correctly could make it both cheaper and easier to maintain compliance. Consider the following examples:
Masking
This refers to the use of replacement data to obscure or replace the primary account number (PAN). The PCI data security standard (DSS) allows retailers to display the first six and the last four characters of a credit card number. With a masking functionality, the middle six numbers are substituted with a string of replacement characters that can be either random or fixed. Primarily used as a display technology, the underlying data is still stored but is unable to be seen. This reduces the scope of PCI exposure by eliminating the display of the full PAN. The unmasked data may still be displayed to other users with a business need to know and the stored data is still subject to the PCI DSS requirements.
Virtual Terminal
With this technology, cardholder data is captured and stored at a third-party location via an authenticated website with an SSL-encrypted communication link. Ideal for card-not-present and e-commerce environments, virtual terminal solutions are used for call centers and customer self-service. They also have the built-in functionality to integrate successfully with point-of-sale terminals and magnetic stripe readers to support card-present payment options.
Ultimately, there's only one solution when it comes to completely eliminating the scope of PCI compliance — stop accepting credit cards altogether. This isn't a realistic approach for retailers in today's payment environment who must balance customer convenience against the need for compliance within their organization. How you integrate and accommodate these technologies will depend on your business, your culture and your revenue models. Compliance-enabling technologies serve as a viable long-term solution to reduce the scope of PCI requirements and impact to your business.
Tokenization
This is the process of replacing a PAN with alternative identifiers (i.e., tokens). The card number is first passed through the interchange process via the issuing bank and payment brand as it is today. A token that replaces the card number is then returned to the merchant for use in a more secure manner with a reduced scope of PCI exposure. This functionality primarily addresses cardholder data storage, as the cardholder number is replaced with a character string that can be used for processing and data transmission. Thus if a breach did occur, cardholder information wouldn't be vulnerable to exposure.
From an operational aspect, it's important that merchants understand the risks that come with adopting tokens that closely mirror an actual card number (tokens generated using format-preserving encryption). With this, there's a potential for collision — generating a token that matches an already existing and valid card number. Consequently, tokenization service providers, including Chase Paymentech, often use a 40-character string for their tokens. The PCI SSC has just released its tokenization guidelines, which can assist you when determining the right tokenization provider.
For those merchants interested in tokenization, it's important to understand that tokenization generally occurs after authorization and therefore doesn't address the initial acceptance process. As a result, online retailers are still in scope for PCI during this part of the transaction process. An effective solution to minimize this exposure is to outsource it to a third-party provider via a hosted pay page (HPP). Alternatively, card-present merchants can significantly reduce PCI scope by investing in a point-to-point encryption solution.
Hosted Pay Page
This can take the form of either a separate web page or individual order fields that redirect customers to a secure site to enter their confidential payment data. The page or pages have the same look and feel of the merchant's own website, but are hosted by a trusted third-party provider. In this scenario, the merchant processes or transmits cardholder data. HPP coupled with tokenization can successfully reduce PCI scope at both the acceptance and storage level.
It's important that merchants realize they're still technically at risk for PCI exposure should a breach occur, even if they don't ever see a credit card number. As long as credit cards are accepted for the purchase of goods or services, the authorization and settlement process still enables the potential of a data compromise. It's recommended that merchants using this combination refer to the PCI self-assessment questionnaire in order to verify their compliance status.
Point-to-Point Encryption (P2PE)
This is a card-present compliance-enabling technology whereby the cardholder data is encrypted from the point at which the transaction is captured to the point that it reaches the acquirer for processing. However, an encrypted PAN is still considered cardholder data under PCI as long as the merchant has access to the decryption keys. P2PE reduces the scope of PCI in the merchant's environment by meeting all of the following criteria:
- the cardholder data is encrypted at swipe;
- decryption occurs outside the merchant environment; and
- no decryption functionality exists within the merchant environment.
Assuming all these criteria are met and no other cardholder data is stored, processed or transmitted anywhere in the merchant environment, the merchant has then successfully reduced the PCI scope.
While no process or technology can ultimately guarantee compliance, compliance-enabling technologies are excellent tools for reducing your PCI DSS compliance scope. In addition to simplifying the difficult task of maintaining compliance over the long term, they also have the potential to reduce the cost and time required to achieve it.
No process or technology can guarantee PCI DSS compliance or remove a retailer's responsibility for PCI DSS compliance. Always evaluate your business processes in light of the PCI DSS requirements and eliminate cardholder data when possible. Once this has been accomplished, these technologies can be implemented as a means of significantly reducing PCI scope and adding another layer of protection to sensitive cardholder data.
David Wallace is group manager for Chase Paymentech's merchant compliance team.