5 Takeaways from PCI Europe Community Meeting
1. QSAs underestimate the PCI DSS scope reduction provided by cloud-based tokenization.
While familiar with tokenization as an on-premise solution or as a service provided by payment processors, many QSAs we spoke with during the PCI Europe Community Meeting were often unaware of the many use cases for cloud-based tokenization and the inherent PCI DSS scope reduction. Tokenization of omnichannel card data acceptance methods is a surprisingly foreign concept to most assessors, nearly all of whom expressed an appreciation for the functionality provide by the TokenEx iFrame, batch processing capabilities, REST-based API, P2PE support for card-present environments, call center solutions, and our Transparent Gateway.
2. Trepidation about cloud security and performance lingers
Any organization promising to secure sensitive data in a cloud data vault should be challenged regarding security, latency, and availability. Often, cloud-based vendors fail to offer security qualifications, performance metrics, and tenancy options that are comparable to TokenEx. We love answering questions about the reliability, scalability, and security of our platform – all of which typically exceed those of our customer’s environments.
3. However, there is a high-level of openness and curiosity about new solutions
Finding solutions for clients with legacy systems in order to help them achieve PCI compliance is a common goal shared almost all QSAs. Bespoke, customizable data protection solutions like those provided by TokenEx continue to provide greater value and scope reduction than encryption alone or on-premise tokenization. Our payment processor agnostic platform with its ability to tokenize any data set via a variety of token schemes is a valuable tool for assessors looking for solutions to help their clients meet their compliance objectives.
4. Continuing focus on EMV
With mobile, wearable, and other CNP payment transaction models continuing to gain traction, it’s clear that the card-present requirement of the EMV model has limited utility. While the technology has done a great deal to reduce fraud in card-present transactions since it’s deployment in 2013, it is obviously not a universal solution for securing all payment channels. Even in card-present situations, tokenization in combination with a strong P2PE solution is fully capable of accepting EMV cardholder data while securing that data both in motion and at rest, as well as storing it for usage again in the future. As an industry, we need to be looking farther down the road than EMV for payments and authentication solutions.
5. Most organizations taking a wait-and-see approach to privacy regulations
GDPR has now been in effect for five months but most organizations are currently monitoring enforcement actions rather than implementing solutions to protect the personal data in their environments. However, with the recent passage of privacy laws in Brazil and California, it’s clear that the mandates to protect personal data are only increasing. Many of these laws provide incentives to pseudonymize or de-identify personal data. Pseudonymization, replacing sensitive data with a pseudonym, is synonymous with tokenization, replacing sensitive data with a token. Tokenization is a mature technology within the payment card industry and if you’re utilizing a robust and flexible tokenization provider to secure your payment card data, that same provider can help you protect the personal data in your care.