Compliance & Certification

Compliance & Certification

Compliance & Certification

Creating Trust with Compliance and Certification

When you partner with TokenEx, you are trusting us with storing and tokenizing some of your most sensitive data. By integrating your business processes with the TokenEx Cloud Security Platform you’re able to purge toxic payment and personal information from your IT systems, greatly lowering the cost of PCI compliance and reducing the risk of data theft. To gain your trust, we want you to understand the compliance and certification processes that TokenEx continuously  undergoes to ensure the security of your data.

Now, for the other side of compliance and certification. How do you know your data is safe with TokenEx? We’ve done the work from the design of data centers and software development lifecycle to continuous monitoring and reporting to ensure that our software, networks, and hardware all comply with the security strictest standards, which are documented on this web site.

The key to TokenEx data center security is access control. Most organization’s information systems are populated with internet access points that are used by employees for normal business—email, research, customer service. These are vulnerable to infection by malware, which in turn can take over servers and transmit payment data to the nether-regions of the internet. Even point-of-sale pin pads can be hacked. In the TokenEx Cloud Data Centers, there are no superfluous access points. Network communications are encrypted at all times—within the center and with every customer and payment processor. Firewalls are always active and IP whitelisting keeps unauthorized traffic from ever entering the data center network. There are no assets that could be infected from external sources that have access to the data vaults. The personnel managing the data center are all trained security experts with extensive background checks. It’s an environment designed solely for high-performance security ops and nothing else.

New Call-to-action

PCI Compliance 101

Everything you need to know about the PCI-DSS is well documented on the official PCI Council web site, so we won’t go into those details here. What you need to realize is that those standards are meant to help you increase your payment card data security and decrease risk to your environment. And as we’ve discussed on this web site many times, it’s not a matter of if your organization will be attacked, but when. As long as you have data of value stored on your business systems, you are a target for hackers from anywhere in the world. Your business data is just an internet connection away no matter how many walls of security you build around your organization. Critical mistakes happen. Passwords are too simple or are accidentally exposed. A phishing email attachment is clicked (just once!) and malware is set loose, key loggers installed, and backdoors opened. Zero-day exploits provide unforeseeable hatchways to your servers. Security patches for documented exploits are applied too late. There are thousands of ways into your systems. There is only one way to protect yourself against data theft—get the data out and keep it out.

Complying with the PCI-DSS is an expensive and arduous process depending on how much payment data is stored on how many different systems. The fewer computer systems that have contact with payment data—at rest or in motion—the narrower the scope of PCI compliance. For most organizations, compliance is usually measured by self-assessment questionnaires (SAQ) ranging from 40 to over 326 parameters, or on-site assessments by costly Qualified Security Assessor Companies (QSAC) for Level 1 Merchants and Service Providers. Obviously you want to be in compliance by managing the fewest number of parameters as possible.

When you tokenize and purge your systems of all payment data, and move the capture and tokenization of incoming payment data to the farthest edge of your information infrastructure, you can greatly limit the scope of the compliance parameters. The TokenEx Cloud Security Platform can get you there quickly and efficiently, with very minimal changes to your existing business processes.

TokenEx Services for PCI Compliance

  • TokenEx is a PCI Certified Level 1 Service Provider. You can be sure our compliance is up to date by requesting our Attestation of Compliance (AOC) at any time
    The services provided by the TokenEx Cloud Security Platform are designed to relieve you of most of the scope of PCI Compliance by:
  • Removing payment data from your business systems and replacing it with tokens.
  • Intercepting payment data before it enters your systems and storing the PANs (Primary Account Numbers) in data vaults, returning tokens to your systems.
  • Swapping tokens from your systems and transmitting PANs to your payment processors and service partners (fraud prevention, marketing analytics).
  • Batch processing PAN files into tokens and securely vaulting the PANs.
    Implementing these services enables you to qualify for different levels of PCI Compliance through the SAQs.
  • TokenEx Hosted Payment Pages. SAQ-A: Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced. Merchants using the Hosted Payment Page may qualify to use Self-Assessment Questionnaire A to validate PCI compliance.
  • P2PE Terminals. SAQ-P2PE-HW: Hardware Payment Terminals in a PCI Listed P2PE Solution Only – No Electronic Cardholder Data Storage. Merchants using P2PE terminals for payment card acceptance may qualify to use Self-Assessment Questionnaire P2PE-HW to validate PCI compliance.
  • Data Vaulting with TokenEx’s API and Batch Tokenization Services: SAQ-C or SAQ-D. Merchants using TokenEx’s Data Vaulting API and Batch Tokenization services may qualify to use Self-Assessment Questionnaire C or D to validate PCI compliance.
  • Data Vaulting with TokenEx’s Virtual Terminal. SAQ-C-VT: Web-Based Virtual Payment Terminals – No Electronic Cardholder Data Storage. Merchants using TokenEx’s Virtual Terminal for payment card acceptance may qualify to use Self-Assessment Questionnaire C-VT to validate PCI compliance.
  • Browser-Based Encryption. SAQ-A-EP: Partially Outsourced E-commerce Merchants using a Third-party Website for payment Processing. Merchants using TokenEx’s Browser-Based encryption for payment card acceptance may qualify to use Self-Assessment Questionnaire A-EP to validate PCI compliance.

Ask Us How We Can Make Your Organization PCI-Compliant

Our clients depend on TokenEx to provide a complete and customizable tokenization solution for their omni-channel payment streams and PII data. Let us explain how a unified cloud tokenization platform can help your organization secure all types of data. Call us at 1.877.316.4544 or email us to set up an appointment to discuss your specific data security challenges.

SOC 2 and 3 Certification For People, Processes and Facilities

Attestation of certifications of TokenEx facilities, processes, and procedures are provided by independent service auditors on a regular basis. The SOC 2 and 3 (Service Organization Controls) reports examine the controls TokenEx maintains over its physical data centers and logical operations encompassing infrastructure, software, networks, people, automated and manual procedures, and data vaulting. Based on the Trust Services Security, Availability, and Confidentiality Criteria the SOC3 report confirms:

  • Security. The system is protected against unauthorized access (both physical and logical).
  • Availability. The system is available for operation and use as committed or agreed.
  • Processing Integrity. System processing is complete, accurate, timely, and authorized.
  • Confidentiality. Information designated as confidential is protected as committed or agreed.
  • Privacy. Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA.

The Trust Services Principles and Criteria are organized into four broad categories that are certified under the scope of SOC 2 and 3:

  • Policies. TokenEx has defined and documented its policies relevant to the particular principle.
  • Communications. TokenEx has communicated its defined policies to authorized users.
  • Procedures. TokenEx uses procedures to achieve its objectives in accordance with its defined policies.
  • Monitoring. TokenEx monitors the system and takes action to maintain compliance with its defined policies.

Global Data Protection Regulation

The Global Data Protection Regulation (GDPR) is legislation passed by the EU (European Union) to help fortify and amalgamate data protection for all individuals within the EU, Great Britain, and a few other European countries. GDPR replaces the Data Protection Directive 95/46/EC. The goal of the regulation is to protect the Personally Identifiable Information (PII) of all EU citizens by regulating how their PII is shared, stored, and managed. It also addresses the export of PII outside of the EU. Moreover, it is designed to standardize data privacy laws across the EU with the main goal to “protect and empower all EU citizen’s data privacy and to reshape the way organizations across the region approach data privacy.” With the ever-growing threat of cybercriminals focusing their efforts on stealing PII, the GDPR is important and impactful legislation for data protection and privacy.

TokenEx will be compliant with the GDPR in 2018 when it takes full effect. The TokenEx Cloud Tokenization and Data Vaulting Platform is used by clients world-wide, including clients in the vast majority of EU nations, to secure and protect PCI and PII data sets. TokenEx’s tokenization process is a well-recognized and accepted form of pseudonymization, making compliance with the privacy requirements of GDPR more certain, less costly, and much simpler. Tokenization is an advanced form of pseudonymization which has been used for over a decade to protect the private data of TokenEx clients worldwide without a single breach or exposure.

Cloud Security Alliance

TokenEx is also part of the Cloud Security Alliance which manages the CSA Security, Trust & Assurance Registry (STAR), a publicly accessible registry that documents the security controls provided by various cloud computing services. CSA STAR service is based upon the CSA Governance, Risk and Compliance (GRC) Stack, a collection of four integrated research projects that provide a framework for cloud-specific security controls, assessment, greater automation, and real time GRC management. TokenEx’s participation in this alliance provides another level of documentation to ensure that your data is safely and securely stored. (Refer to the “About TokenEx” page for information on the creation of our TokenEx Cloud Security Platform and the founders.)

Privacy Shield and Safe Harbor – United States

TokenEx complies with both the EU-U.S. Privacy Shield Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information to and from the European Union, the United States, the member countries, and Switzerland, as applicable to each framework. TokenEx has certified to the Department of Commerce that it adheres to both the Privacy Shield Principles and the U.S.-Swiss Safe Harbor Principles. If there is any conflict between the terms in this Policy and the Privacy Shield Principles and the U.S.-Swiss Safe Harbor Principles, the Privacy Shield Principles or the U.S.-Swiss Safe Harbor Principles, as applicable, shall govern. The Federal Trade Commission has jurisdiction over TokenEx’s compliance with the EU-U.S. Privacy Shield Framework.

To learn more about the Privacy Shield Principles and the U.S.-Swiss Safe Harbor Principles, and to view TokenEx’s certification for both, respectively visit these pages:

Office of the Australian Information Commissioner – Australia

The Privacy Act 1988 (Privacy Act) regulates how personal information is collected, stored, and transmitted in Austalia and Australian Capital Territory. The Privacy Act defines personal information as: information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable. Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details, and commentary or opinion about a person. In addition to the APPs, the Privacy Act also covers more specific matters that entities, including some small businesses, may be required to comply with.

The Privacy Act includes thirteen Australian Privacy Principles (APPs), which apply to some private sector organizations, as well as most Australian and Norfolk Island Government agencies. These are collectively referred to as “APP entities”. The Privacy Act also regulates the privacy component of the consumer credit reporting system, tax file numbers, and health and medical research.

TokenEx is fully compliant with Office of the Australian Information Commissioner regulations for data privacy and reporting. Australian Privacy Principles — A Summary for APP Entities: Privacy Act 1988

Privacy Shield – Safe Harbor

TokenEx complies with both the EU-U.S. Privacy Shield Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information to and from the European Union, the United States, the member countries and Switzerland, as applicable to each framework. TokenEx has certified to the Department of Commerce that it adheres to both the Privacy Shield Principles and the U.S.-Swiss Safe Harbor Principles. If there is any conflict between the terms in this Policy and the Privacy Shield Principles and the U.S.-Swiss Safe Harbor Principles, the Privacy Shield Principles or the U.S.-Swiss Safe Harbor Principles, as applicable, shall govern. To learn more about the Privacy Shield Principles and the U.S.-Swiss Safe Harbor Principles, and to view TokenEx’s certification for both, please visit https://www.privacyshield.gov/ and http://www.export.gov/safeharbor/, respectively. The Federal Trade Commission has jurisdiction over TokenEx’s compliance with the EU-U.S. Privacy Shield Framework.

International Association of Privacy Professionals

Data powers the information economy. And the risks associated with it continue to skyrocket. Data breach, identity theft, loss of customer trust—these are the threats to organizations of all sizes, in all sectors, in today’s marketplace. The International Association of Privacy Professionals (IAPP) is a resource for professionals who want to develop and advance their careers by helping their organizations successfully manage these risks and protect their data.

TokenEx is a proud member of The International Association Of Privacy Professionals. The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.

PCI Compliance 101

Everything you need to know about the PCI-DSS is well documented on the official PCI Council web site, so we won’t go into those details here. What you need to realize is that those standards are meant to help you increase your payment card data security and decrease risk to your environment. And as we’ve discussed on this web site many times, it’s not a matter of if your organization will be attacked, but when. As long as you have data of value stored on your business systems, you are a target for hackers from anywhere in the world. Your business data is just an internet connection away no matter how many walls of security you build around your organization. Critical mistakes happen. Passwords are too simple or are accidentally exposed. A phishing email attachment is clicked (just once!) and malware is set loose, key loggers installed, and backdoors opened. Zero-day exploits provide unforeseeable hatchways to your servers. Security patches for documented exploits are applied too late. There are thousands of ways into your systems. There is only one way to protect yourself against data theft—get the data out and keep it out.

Complying with the PCI-DSS is an expensive and arduous process depending on how much payment data is stored on how many different systems. The fewer computer systems that have contact with payment data—at rest or in motion—the narrower the scope of PCI compliance. For most organizations, compliance is usually measured by self-assessment questionnaires (SAQ) ranging from 40 to over 326 parameters, or on-site assessments by costly Qualified Security Assessor Companies (QSAC) for Level 1 Merchants and Service Providers. Obviously you want to be in compliance by managing the fewest number of parameters as possible.

When you tokenize and purge your systems of all payment data, and move the capture and tokenization of incoming payment data to the farthest edge of your information infrastructure, you can greatly limit the scope of the compliance parameters. The TokenEx Cloud Security Platform can get you there quickly and efficiently, with very minimal changes to your existing business processes.

TokenEx Services for PCI Compliance

  • TokenEx is a PCI Certified Level 1 Service Provider. You can be sure our compliance is up to date by requesting our Attestation of Compliance (AOC) at any time
    The services provided by the TokenEx Cloud Security Platform are designed to relieve you of most of the scope of PCI Compliance by:
  • Removing payment data from your business systems and replacing it with tokens.
  • Intercepting payment data before it enters your systems and storing the PANs (Primary Account Numbers) in data vaults, returning tokens to your systems.
  • Swapping tokens from your systems and transmitting PANs to your payment processors and service partners (fraud prevention, marketing analytics).
  • Batch processing PAN files into tokens and securely vaulting the PANs.
    Implementing these services enables you to qualify for different levels of PCI Compliance through the SAQs.
  • TokenEx Hosted Payment Pages. SAQ-A: Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced. Merchants using the Hosted Payment Page may qualify to use Self-Assessment Questionnaire A to validate PCI compliance.
  • P2PE Terminals. SAQ-P2PE-HW: Hardware Payment Terminals in a PCI Listed P2PE Solution Only – No Electronic Cardholder Data Storage. Merchants using P2PE terminals for payment card acceptance may qualify to use Self-Assessment Questionnaire P2PE-HW to validate PCI compliance.
  • Data Vaulting with TokenEx’s API and Batch Tokenization Services: SAQ-C or SAQ-D. Merchants using TokenEx’s Data Vaulting API and Batch Tokenization services may qualify to use Self-Assessment Questionnaire C or D to validate PCI compliance.
  • Data Vaulting with TokenEx’s Virtual Terminal. SAQ-C-VT: Web-Based Virtual Payment Terminals – No Electronic Cardholder Data Storage. Merchants using TokenEx’s Virtual Terminal for payment card acceptance may qualify to use Self-Assessment Questionnaire C-VT to validate PCI compliance.
  • Browser-Based Encryption. SAQ-A-EP: Partially Outsourced E-commerce Merchants using a Third-party Website for payment Processing. Merchants using TokenEx’s Browser-Based encryption for payment card acceptance may qualify to use Self-Assessment Questionnaire A-EP to validate PCI compliance.

Ask Us How We Can Make Your Organization PCI-Compliant

Our clients depend on TokenEx to provide a complete and customizable tokenization solution for their omni-channel payment streams and PII data. Let us explain how a unified cloud tokenization platform can help your organization secure all types of data. Call us at 1.877.316.4544 or email us to set up an appointment to discuss your specific data security challenges.

SOC 2 and 3 Certification For People, Processes and Facilities

Attestation of certifications of TokenEx facilities, processes, and procedures are provided by independent service auditors on a regular basis. The SOC 2 and 3 (Service Organization Controls) reports examine the controls TokenEx maintains over its physical data centers and logical operations encompassing infrastructure, software, networks, people, automated and manual procedures, and data vaulting. Based on the Trust Services Security, Availability, and Confidentiality Criteria the SOC3 report confirms:

  • Security. The system is protected against unauthorized access (both physical and logical).
  • Availability. The system is available for operation and use as committed or agreed.
  • Processing Integrity. System processing is complete, accurate, timely, and authorized.
  • Confidentiality. Information designated as confidential is protected as committed or agreed.
  • Privacy. Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA.

The Trust Services Principles and Criteria are organized into four broad categories that are certified under the scope of SOC 2 and 3:

  • Policies. TokenEx has defined and documented its policies relevant to the particular principle.
  • Communications. TokenEx has communicated its defined policies to authorized users.
  • Procedures. TokenEx uses procedures to achieve its objectives in accordance with its defined policies.
  • Monitoring. TokenEx monitors the system and takes action to maintain compliance with its defined policies.

Global Data Protection Regulation

The Global Data Protection Regulation (GDPR) is legislation passed by the EU (European Union) to help fortify and amalgamate data protection for all individuals within the EU, Great Britain, and a few other European countries. GDPR replaces the Data Protection Directive 95/46/EC. The goal of the regulation is to protect the Personally Identifiable Information (PII) of all EU citizens by regulating how their PII is shared, stored, and managed. It also addresses the export of PII outside of the EU. Moreover, it is designed to standardize data privacy laws across the EU with the main goal to “protect and empower all EU citizen’s data privacy and to reshape the way organizations across the region approach data privacy.” With the ever-growing threat of cybercriminals focusing their efforts on stealing PII, the GDPR is important and impactful legislation for data protection and privacy.

TokenEx will be compliant with the GDPR in 2018 when it takes full effect. The TokenEx Cloud Tokenization and Data Vaulting Platform is used by clients world-wide, including clients in the vast majority of EU nations, to secure and protect PCI and PII data sets. TokenEx’s tokenization process is a well-recognized and accepted form of pseudonymization, making compliance with the privacy requirements of GDPR more certain, less costly, and much simpler. Tokenization is an advanced form of pseudonymization which has been used for over a decade to protect the private data of TokenEx clients worldwide without a single breach or exposure.

Cloud Security Alliance

TokenEx is also part of the Cloud Security Alliance which manages the CSA Security, Trust & Assurance Registry (STAR), a publicly accessible registry that documents the security controls provided by various cloud computing services. CSA STAR service is based upon the CSA Governance, Risk and Compliance (GRC) Stack, a collection of four integrated research projects that provide a framework for cloud-specific security controls, assessment, greater automation, and real time GRC management. TokenEx’s participation in this alliance provides another level of documentation to ensure that your data is safely and securely stored. (Refer to the “About TokenEx” page for information on the creation of our TokenEx Cloud Security Platform and the founders.)

Privacy Shield and Safe Harbor – United States

TokenEx complies with both the EU-U.S. Privacy Shield Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information to and from the European Union, the United States, the member countries, and Switzerland, as applicable to each framework. TokenEx has certified to the Department of Commerce that it adheres to both the Privacy Shield Principles and the U.S.-Swiss Safe Harbor Principles. If there is any conflict between the terms in this Policy and the Privacy Shield Principles and the U.S.-Swiss Safe Harbor Principles, the Privacy Shield Principles or the U.S.-Swiss Safe Harbor Principles, as applicable, shall govern. The Federal Trade Commission has jurisdiction over TokenEx’s compliance with the EU-U.S. Privacy Shield Framework.

To learn more about the Privacy Shield Principles and the U.S.-Swiss Safe Harbor Principles, and to view TokenEx’s certification for both, respectively visit these pages:

Office of the Australian Information Commissioner – Australia

The Privacy Act 1988 (Privacy Act) regulates how personal information is collected, stored, and transmitted in Austalia and Australian Capital Territory. The Privacy Act defines personal information as: information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable. Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details, and commentary or opinion about a person. In addition to the APPs, the Privacy Act also covers more specific matters that entities, including some small businesses, may be required to comply with.

The Privacy Act includes thirteen Australian Privacy Principles (APPs), which apply to some private sector organizations, as well as most Australian and Norfolk Island Government agencies. These are collectively referred to as “APP entities”. The Privacy Act also regulates the privacy component of the consumer credit reporting system, tax file numbers, and health and medical research.

TokenEx is fully compliant with Office of the Australian Information Commissioner regulations for data privacy and reporting. Australian Privacy Principles — A Summary for APP Entities: Privacy Act 1988

Privacy Shield – Safe Harbor

TokenEx complies with both the EU-U.S. Privacy Shield Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information to and from the European Union, the United States, the member countries and Switzerland, as applicable to each framework. TokenEx has certified to the Department of Commerce that it adheres to both the Privacy Shield Principles and the U.S.-Swiss Safe Harbor Principles. If there is any conflict between the terms in this Policy and the Privacy Shield Principles and the U.S.-Swiss Safe Harbor Principles, the Privacy Shield Principles or the U.S.-Swiss Safe Harbor Principles, as applicable, shall govern. To learn more about the Privacy Shield Principles and the U.S.-Swiss Safe Harbor Principles, and to view TokenEx’s certification for both, please visit https://www.privacyshield.gov/ and http://www.export.gov/safeharbor/, respectively. The Federal Trade Commission has jurisdiction over TokenEx’s compliance with the EU-U.S. Privacy Shield Framework.

International Association of Privacy Professionals

Data powers the information economy. And the risks associated with it continue to skyrocket. Data breach, identity theft, loss of customer trust—these are the threats to organizations of all sizes, in all sectors, in today’s marketplace. The International Association of Privacy Professionals (IAPP) is a resource for professionals who want to develop and advance their careers by helping their organizations successfully manage these risks and protect their data.

TokenEx is a proud member of The International Association Of Privacy Professionals. The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.