PCI Compliance Scope

PCI Compliance Scope

Virtual Terminal

TokenEx Services

The PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security. These materials include a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step. The keystone is the PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process — including prevention, detection and appropriate reaction to security incidents. TokenEx adheres to these requirements set forth by the PCI DSS and our cloud tokenization platform reduces PCI compliance/scope.

TokenEx Service: IFRAME

Targeted PCI Compliance Scope: SAQ-A (Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced)

TokenEx’s iFrame solution provides a 100% fully managed card acceptance channel. The form fields of the payment form accepting PAN & SAD are delivered to consumer’s browser directly from TokenEx environment. Payment Card data is stored, processed, and transmitted entirely within TokenEx’s secure environment thereby fully removing your entire network and systems from PCI scope. Merchants using the TokenEx iFrame qualify to use Self-Assessment Questionnaire A to validate PCI compliance.

TokenEx Service: P2PE Terminals

Targeted PCI Compliance Scope: NESA (Non-Listed Encryption Solution Assessment)

TokenEx’s integration with P2PE payment terminals allows card present and telephone acceptance channels to be fully encrypted end-to-end. Payment card data is captured and encrypted at the point of interaction (POI). In this secure deployment model, merchants do not have access to payment card data or decrypting keys thereby reducing their systems and networks from PCI scope and control requirements. TokenEx provides integrations with most payment terminal vendors and models. Merchants using P2PE terminals for payment card acceptance may qualify to use the NESA (Non-Listed Encryption Solution Assessment) process.

TokenEx Service: Data Vaulting with TokenEx’s Virtual Terminal

Targeted PCI Compliance Scope: SAQ-C-VT (Merchants with Web-Based Virtual Payment Terminals – No Electronic Cardholder Data Storage)

TokenEx’s Virtual Terminal allows merchants to access TokenEx’s data vaulting capabilities through a standard web browser. Brick-and-mortar (card present) or mail/telephone (card-not-present) acceptance channels can directly tokenize payment card data as it is captured thereby eliminating the need to store payment card data. TokenEx’s Virtual Terminal is provided and fully hosted in a PCI-DSS validated environment. Merchants using TokenEx’s Virtual Terminal for payment card acceptance may qualify to use Self-Assessment Questionnaire C-VT to validate PCI compliance.

TokenEx Service: Browser-Based Encryption

Targeted PCI Compliance Scope: SAQ-A-EP (Partially Outsourced E-commerce Merchants using a Third-party Website for payment Processing)

TokenEx’s Browser-based Encryption implementation model allows e-commerce payment card data to be secured before it ever leaves the consumer’s system. The merchant’s website does not receive unsecured cardholder data while still allowing for maximum customization, flexibility, and a positive user experience. While the merchant no longer receives unencrypted payment card data, the webserver is still partially responsible for the secure processing of card holder data which leads to increased PCI compliance requirements. Merchants using TokenEx’s Browser-based encryption for payment card acceptance may qualify to use Self-Assessment Questionnaire A-EP to validate PCI compliance.

TokenEx Service: Data Vaulting with TokenEx’s API and Batch Tokenization Services

Targeted PCI Compliance Scope: SAQ-C or SAQ-D

TokenEx’s Data Vaulting API and file-based Batch Tokenization services provides the merchant with the ability to fully integrate tokenization into any environment. Merchants have the freedom and flexibility to choose when, where, and what format tokenization occurs within the payment flow. Data vaulting cardholder data greatly simplifies PCI’s stringent data storage security requirements while at the same time significantly reducing the organization risk from data breaches. Merchants using TokenEx’s Data Vaulting API and Batch Tokenization services may qualify to use Self-Assessment Questionnaire C or D to validate PCI compliance.

PCI Requirement Notes When Using TokenEx

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

  • TokenEx does not provide default credentials.
  • All data vaults and API methods can be configured with unique access keys.

Requirement 3: Protect stored cardholder data

  • TokenEx fully manages and secures all vaulted data.
  • TokenEx uses the latest in encryption and hardware security modules to protect vaulted data.
  • Encryption algorithms used include RSA, AES, 3DES, and DUKPT.

Requirement 4: Encrypt transmission of cardholder data across open, public networks

  • TokenEx uses TLS and SFTP protocols exclusively for transmission of cardholder data.
  • TokenEx cannot accept unprotected data.

Requirement 7: Restrict access to cardholder data by business need to know

  • TokenEx provides API access on a per method basis, as well as IP whitelisting.
  • TokenEx allows clients to separate tokenization and detokenization access controls to ensure only authorized systems with a need to know have access to the data vaults.

Requirement 9: Restrict physical access to cardholder data

  • By removing cardholder data from your environment, physical security compliance becomes a breeze.
  • TokenEx uses top tier data centers with ISO 27001, HITRUST, PCI, and SSAE SOC1, SOC 2, and SOC3 certifications.

Requirement 10: Track and monitor all access to network resources and cardholder data

  • TokenEx provides robust logging and usage capabilities to track all access into and out of your data vaults.