Everything you need to know about the PCI-DSS is well documented on the official PCI Council web site, so we won’t go into those details here. What you need to realize is that those standards are meant to help you increase your payment card data security and decrease risk to your environment. And as we’ve discussed on this web site many times, it’s not a matter of if your organization will be attacked, but when. As long as you have data of value stored on your business systems, you are a target for hackers from anywhere in the world. Your business data is just an internet connection away no matter how many walls of security you build around your organization. Critical mistakes happen. Passwords are too simple or are accidentally exposed. A phishing email attachment is clicked (just once!) and malware is set loose, key loggers installed, and backdoors opened. Zero-day exploits provide unforeseeable hatchways to your servers. Security patches for documented exploits are applied too late. There are thousands of ways into your systems. There is only one way to protect yourself against data theft—get the data out and keep it out.
Complying with the PCI-DSS is an expensive and arduous process depending on how much payment data is stored on how many different systems. The fewer computer systems that have contact with payment data—at rest or in motion—the narrower the scope of PCI compliance. For most organizations, compliance is usually measured by self-assessment questionnaires (SAQ) ranging from 40 to over 326 parameters, or on-site assessments by costly Qualified Security Assessor Companies (QSAC) for Level 1 Merchants and Service Providers. Obviously you want to be in compliance by managing the fewest number of parameters as possible.
When you tokenize and purge your systems of all payment data, and move the capture and tokenization of incoming payment data to the farthest edge of your information infrastructure, you can greatly limit the scope of the compliance parameters. The TokenEx Cloud Security Platform can get you there quickly and efficiently, with very minimal changes to your existing business processes.
Now, for the other side of compliance and certification. How do you know your data is safe with TokenEx? We’ve done the work from the design of data centers and software development lifecycle to continuous monitoring and reporting to ensure that our software, networks, and hardware all comply with the security strictest standards, which are documented on this web site.
The key to TokenEx data center security is access control. Most organization’s information systems are populated with internet access points that are used by employees for normal business—email, research, customer service. These are vulnerable to infection by malware, which in turn can take over servers and transmit payment data to the nether-regions of the internet. Even point-of-sale pin pads can be hacked. In the TokenEx Cloud Data Centers, there are no superfluous access points. Network communications are encrypted at all times—within the center and with every customer and payment processor. Firewalls are always active and IP whitelisting keeps unauthorized traffic from ever entering the data center network. There are no assets that could be infected from external sources that have access to the data vaults. The personnel managing the data center are all trained security experts with extensive background checks. It’s an environment designed solely for high-performance security ops and nothing else.