Limiting Your PCI Scope
Every business that handles the financial data of their customers is looking for ways to limit their PCI scope.
Doing so minimizes the cost, effort and risk that comes with PCI compliance. After all, the less payment information that your organisation holds, the less you’ll have to convince your Qualified Security Assessor (QSA) or acquiring bank that you’re doing everything you should be to protect that precious data.
This is where tokenization comes in.
What is Tokenization?
Tokenization is the process of swapping highly-sensitive personal payment data for a ‘token’, which comprises a number of random digits that cannot be restored back to their original value.
It works in the following ways:
- A customer pays for your merchandise on a POS machine using their credit card.
- The Personal Account Number (PAN) contained on the credit card is swapped for a ‘token’ of arbitrary characters after transmittal to the payments processor. There the PAN is replaced with the arbitrary characters and the correlating PAN is retained with it. So for instance, the 16-digit number on the front of the credit card which could be 1234-5678-9123-4567 would be replaced by a random code dsa2-rgv4-3564-f484.
- The token is then transmitted back to the merchant and used to represent the customer (so dsa2-rgv4-3564-f484 = Richard Davies) on the company’s network. Colleagues at the company can process information about the user without being able to view the PAN in the clear.
- For settlement, the token is sent to your payment processor where the same technology is then used to decrypt the token back into its initial form and process payment.
This all means your company does not store or transmit cardholder data (CHD) in the clear and the responsibility for securing the CHD lies with the payments processor. You can even retain the token for recurring payments or for your customers who choose to retain their CHD on file with you.
And because the token has been created by the payments processor tailored to your specifications, it cannot be utilized to initiate payment with another retailer—keeping your customers’ data even safer.
How can tokenization be used to reduce PCI scope?
Tokenization eliminates electronic CHD from being stored in your environment. This means you do not need to focus as much on the storage and retention of your customers’ CHD; however, keep in mind you still need to review and assess how it is transmitted and processed.
It means that no shop workers, sales staff or third parties ever have to deal with payment information—and so you don’t have to safeguard them or think about the consequences of financial data going rogue.
Of course, of critical importance will be ensuring the payment processors you use are water-tight. Make sure they are compliant with the PCI DSS, require they permit you to visit their facilities and meet with their staff who manage the tokenization function to fully explain to you how it works. This is your customers’ CHD and while your scope has been reduced significantly by using tokenization, it is still your responsibility to ensure the vendor you choose to use is sufficiently safeguarding it all.
This post was contributed by Georgina Park on behalf of Maytech, a company with expertise in multi-platform secure file sharing to help businesses across the world send and receive files simply and effectively with secure data transfer.