PCI Compliance Scope
The PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security. These materials include a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step. The keystone is the PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process — including prevention, detection and appropriate reaction to security incidents. TokenEx adheres to these requirements set forth by the PCI DSS and our cloud tokenization platform reduces PCI compliance/scope.
Targeted PCI Compliance Scope: SAQ-A (Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced)
TokenEx’s Hosted Payment Page integration model provides a 100% fully managed card acceptance channel. The entirety of all payment pages are delivered to consumer’s browser originating directly from TokenEx. Payment Card data is stored, processed, and transmitted entirely within TokenEx’s secure environment thereby fully removing your entire network and systems from PCI scope. Merchants using the Hosted Payment Page may qualify to use Self-Assessment Questionnaire A to validate PCI compliance.
Targeted PCI Compliance Scope: NESA (Non-Listed Encryption Solution Assessment)
TokenEx’s integration with P2PE payment terminals allows card present and telephone acceptance channels to be fully encrypted end-to-end. Payment card data is captured and encrypted at the point of interaction (POI). In this secure deployment model, Merchants do not have access to payment card data or decrypting keys thereby reducing their systems and networks from PCI scope and control requirements. TokenEx provides integrations with most payment terminal vendors and models. Merchants using P2PE terminals for payment card acceptance may qualify to use the NESA (Non-Listed Encryption Solution Assessment) process.
Targeted PCI Compliance Scope: SAQ-C-VT (Merchants with Web-Based Virtual Payment Terminals – No Electronic Cardholder Data Storage)
TokenEx’s Virtual Terminal allows merchants to access TokenEx’s data vaulting capabilities through a standard web browser. Brick-and-mortar (card present) or mail/telephone (card-not-present) acceptance channels can directly tokenize payment card data as it is captured thereby eliminating the need to store payment card data. TokenEx’s Virtual Terminal is provided and fully hosted in a PCI-DSS validated environment. Merchants using TokenEx’s Virtual Terminal for payment card acceptance may qualify to use Self-Assessment Questionnaire C-VT to validate PCI compliance.
Targeted PCI Compliance Scope: SAQ-A-EP (Partially Outsourced E-commerce Merchants using a Third-party Website for payment Processing)
TokenEx’s Browser-Based Encryption implementation model allows e-commerce payment card data to be secured before it ever leaves the consumer’s system. The merchant’s website does not receive unsecured cardholder data while still allowing for maximum customization, flexibility, and a positive user experience. While the merchant no longer receives unencrypted payment card data, the webserver is still partial responsible for the secure processing of card holder data which leads to increased PCI compliance requirements. Merchants using TokenEx’s Browser-Based encryption for payment card acceptance may qualify to use Self-Assessment Questionnaire A-EP to validate PCI compliance.
Targeted PCI Compliance Scope: SAQ-C or SAQ-D
TokenEx’s Data Vaulting API and file-based Batch Tokenization services provides the merchant with the ability to fully integrate tokenization into any environment. Merchants have the freedom and flexibility to choose when, where, and what format tokenization occurs within the payment flow. Data vaulting cardholder data greatly simplifies PCI’s stringent data storage security requirements while at the same time significantly reducing the organization risk from data breaches. Merchants using TokenEx’s Data Vaulting API and Batch Tokenization services may qualify to use Self-Assessment Questionnaire C or D to validate PCI compliance.
PCI Requirement Notes When Using TokenEx
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- TokenEx does not provide default credentials.
- All data vaults and API methods can be configured with unique access keys
Requirement 3: Protect stored cardholder data
- TokenEx fully manages and secures all vaulted data.
- TokenEx uses the latest in encryption and hardware security modules to protect vaulted data.
- Encryption algorithms used include RSA, AES, 3DES, and DUKPT
Requirement 4: Encrypt transmission of cardholder data across open, public networks
- TokenEx uses TLS and SFTP protocols exclusive for transmission of cardholder data.
- TokenEx cannot accept unprotected data.
Requirement 7: Restrict access to cardholder data by business need to know
- TokenEx provides API access on a pre-method basis as well as IP whitelisting.
- TokenEx allows clients to separate tokenization and detokenization access controls to ensure only authorized staff with a need to know have access to the data vaults.
Requirement 9: Restrict physical access to cardholder data
- By removing cardholder data from your environment, physical security compliance becomes a breeze.
- TokenEx uses top tier data centers with SAS70, PCI, and SSAE SOC2 certifications
Requirement 10: Track and monitor all access to network resources and cardholder data
- TokenEx provides robust logging and usage capabilities to track all access into and out of your data vaults.