Compliance & Certification

Compliance & Certification

Compliance & Certification

Creating Trust with Compliance and Certification

When you partner with TokenEx, you are trusting us with storing and tokenizing some of your most sensitive data. By integrating your business processes with the TokenEx Cloud Security Platform you’re able to purge toxic payment and personal information from your IT systems, greatly lowering the cost of PCI compliance and reducing the risk of data theft. To gain your trust, we want you to understand the compliance and certification processes that TokenEx continuously  undergoes to ensure the security of your data.

But first, a little background on PCI-DSS compliance and why tokenization is an ideal solution to secure your payment data.

PCI Compliance 101

Everything you need to know about the PCI-DSS is well documented on the official PCI Council web site, so we won’t go into those details here. What you need to realize is that those standards are meant to help you increase your payment card data security and decrease risk to your environment. And as we’ve discussed on this web site many times, it’s not a matter of if your organization will be attacked, but when. As long as you have data of value stored on your business systems, you are a target for hackers from anywhere in the world. Your business data is just an internet connection away no matter how many walls of security you build around your organization. Critical mistakes happen. Passwords are too simple or are accidentally exposed. A phishing email attachment is clicked (just once!) and malware is set loose, key loggers installed, and backdoors opened. Zero-day exploits provide unforeseeable hatchways to your servers. Security patches for documented exploits are applied too late. There are thousands of ways into your systems. There is only one way to protect yourself against data theft—get the data out and keep it out.

Complying with the PCI-DSS is an expensive and arduous process depending on how much payment data is stored on how many different systems. The fewer computer systems that have contact with payment data—at rest or in motion—the narrower the scope of PCI compliance. For most organizations, compliance is usually measured by self-assessment questionnaires (SAQ) ranging from 40 to over 326 parameters, or on-site assessments by costly Qualified Security Assessor Companies (QSAC) for Level 1 Merchants and Service Providers. Obviously you want to be in compliance by managing the fewest number of parameters as possible.

When you tokenize and purge your systems of all payment data, and move the capture and tokenization of incoming payment data to the farthest edge of your information infrastructure, you can greatly limit the scope of the compliance parameters. The TokenEx Cloud Security Platform can get you there quickly and efficiently, with very minimal changes to your existing business processes.

TokenEx Compliance and Certification

Now, for the other side of compliance and certification. How do you know your data is safe with TokenEx? We’ve done the work from the design of data centers and software development lifecycle to continuous monitoring and reporting to ensure that our software, networks, and hardware all comply with the security strictest standards, which are documented on this web site.

The key to TokenEx data center security is access control. Most organization’s information systems are populated with internet access points that are used by employees for normal business—email, research, customer service. These are vulnerable to infection by malware, which in turn can take over servers and transmit payment data to the nether-regions of the internet. Even point-of-sale pin pads can be hacked. In the TokenEx Cloud Data Centers, there are no superfluous access points. Network communications are encrypted at all times—within the center and with every customer and payment processor. Firewalls are always active and IP whitelisting keeps unauthorized traffic from ever entering the data center network. There are no assets that could be infected from external sources that have access to the data vaults. The personnel managing the data center are all trained security experts with extensive background checks. It’s an environment designed solely for high-performance security ops and nothing else.

SOC 2 and 3 Certification For People, Processes and Facilities

Attestation of certifications of TokenEx facilities, processes, and procedures are provided by independent service auditors on a regular basis and the reports are available on this web site for your reference. The SOC 2 and 3 (Service Organization Controls) reports examine the controls TokenEx maintains over its physical data centers and logical operations encompassing infrastructure, software, networks, people, automated and manual procedures, and data vaulting. Based on the Trust Services Security, Availability, and Confidentiality Criteria the SOC3 report confirms:

  • Security. The system is protected against unauthorized access (both physical and logical).
  • Availability. The system is available for operation and use as committed or agreed.
  • Processing Integrity. System processing is complete, accurate, timely, and authorized.
  • Confidentiality. Information designated as confidential is protected as committed or agreed.
  • Privacy. Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA.

The Trust Services Principles and Criteria are organized into four broad categories that are certified under the scope of SOC 2 and 3:

  • Policies. TokenEx has defined and documented its policies relevant to the particular principle.
  • Communications. TokenEx has communicated its defined policies to authorized users.
  • Procedures. TokenEx uses procedures to achieve its objectives in accordance with its defined policies.
  • Monitoring. TokenEx monitors the system and takes action to maintain compliance with its defined policies.

TokenEx Services for PCI Compliance

TokenEx is a PCI Certified Level 1 Service Provider. You can be sure our compliance is up to date by requesting our Attestation of Compliance (AOC) at any time

The services provided by the TokenEx Cloud Security Platform are designed to relieve you of most of the scope of PCI Compliance by:

    • Removing payment data from your business systems and replacing it with tokens.
    • Intercepting payment data before it enters your systems and storing the PANs (Primary Account Numbers) in data vaults, returning tokens to your systems.
    • Swapping tokens from your systems and transmitting PANs to your payment processors and service partners (fraud prevention, marketing analytics).
    • Batch processing PAN files into tokens and securely vaulting the PANs.

Implementing these services enables you to qualify for different levels of PCI Compliance through the SAQs.   

  • TokenEx Hosted Payment Pages. SAQ-A: Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced. Merchants using the Hosted Payment Page may qualify to use Self-Assessment Questionnaire A to validate PCI compliance.
  • P2PE Terminals. SAQ-P2PE-HW: Hardware Payment Terminals in a PCI Listed P2PE Solution Only – No Electronic Cardholder Data Storage. Merchants using P2PE terminals for payment card acceptance may qualify to use Self-Assessment Questionnaire P2PE-HW to validate PCI compliance.
  • Data Vaulting with TokenEx’s API and Batch Tokenization Services: SAQ-C or SAQ-D. Merchants using TokenEx’s Data Vaulting API and Batch Tokenization services may qualify to use Self-Assessment Questionnaire C or D to validate PCI compliance.
  • Data Vaulting with TokenEx’s Virtual Terminal. SAQ-C-VT: Web-Based Virtual Payment Terminals – No Electronic Cardholder Data Storage. Merchants using TokenEx’s Virtual Terminal for payment card acceptance may qualify to use Self-Assessment Questionnaire C-VT to validate PCI compliance.
  • Browser-Based Encryption. SAQ-A-EP: Partially Outsourced E-commerce Merchants using a Third-party Website for payment Processing. Merchants using TokenEx’s Browser-Based encryption for payment card acceptance may qualify to use Self-Assessment Questionnaire A-EP to validate PCI compliance.

Cloud Security Alliance

TokenEx is also part of the Cloud Security Alliance which manages the CSA Security, Trust & Assurance Registry (STAR), a publicly accessible registry that documents the security controls provided by various cloud computing services. CSA STAR service is based upon the CSA Governance, Risk and Compliance (GRC) Stack, a collection of four integrated research projects that provide a framework for cloud-specific security controls, assessment, greater automation, and real time GRC management. TokenEx’s participation in this alliance provides another level of documentation to ensure that your data is safely and securely stored. (Refer to the “About TokenEx” page for information on the creation of our TokenEx Cloud Security Platform and the founders.)

Ask Us How We Can Make Your Organization PCI-Compliant

Our clients depend on TokenEx to provide a complete and customizable tokenization solution for their omni-channel payment streams and PII data. Let us explain how a unified cloud tokenization platform can help your organization secure all types of data. Call us at 1.877.316.4544 or email us to set up an appointment to discuss your specific data security challenges.