PCI Tokenization

PCI Tokenization

PCI Tokenization

Payment Card Information

What is PCI?

The Payment Card Industry Security Standards Council (PCI SSC) is the governing body for the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS documents the standards that govern how organizations should protect Payment Card Information (also called PCI) which includes data such as cardholder names, primary account numbers, and other financial data. Depending on their payment acceptance strategies, organizations employ various technologies and strategies for accepting and processing payment cards. Payment card transactions include both card-present and card-not-present (CNP) cases, and each has their own rules and regulations. Both of these methods of accepting and processing payments should employ encryption and tokenization to ensure the secure handling of the transactional data and keep sensitive data out of internal business systems.

Although the PCI DSS must be implemented by all entities that process, store, or transmit cardholder data, formal validation of PCI DSS compliance is not mandatory for all entities. Currently both Visa and MasterCard require merchants and service providers to be validated according to the PCI DSS. Visa also offers an alternative program called the Technology Innovation Program (TIP) that allows qualified merchants to discontinue the annual PCI DSS validation assessment. These merchants are eligible if they are taking alternative precautions against counterfeit fraud such as the use of EMV or Point to Point Encryption (P2PE) technology. However, they are still required to be PCI DSS compliant. Smaller merchants and service providers are not required to explicitly validate compliance with each of the controls prescribed by the PCI DSS, although these organizations must still implement all controls to maintain safe-harbor and avoid potential liability in the event of fraud associated with theft of cardholder data.

Issuing banks are not required to go through PCI DSS validation although they still must secure the sensitive data in a PCI DSS compliant manner. Acquiring banks are required to comply with PCI DSS as well as to have their compliance validated by means of an audit.

Download MRC Global Case Study

What Are the Compliance Obligations?

The PCI DSS governs all processes that store, process, and transmit cardholder data.
However, there are three common PCI misconceptions that can inhibit compliance.

First, there is only one PCI DSS standard. However, there are two ways that a Merchant or Service Provider can validate to the standard:

  • A Self-Assessment Questionnaire (SAQ), which can be completed by internal security staff.
  • A Report of Compliance which requires a third-party Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA).

Second, there is a misconception that PCI DSS does not apply if an organization outsources its payment processing so that it does not store any payment card information in local business and IT systems. Unfortunately, even if an organization is not storing payment card data internally, the PCI DSS still applies because its business systems are processing or transmitting this data. Ultimately the organization that is accepting payments for goods and services is responsible for ensuring their own compliance and the compliance of any third-party service providers being used to in conjunction with payment card data.

Third, the use of encryption to capture and store payment card data does not mean PCI DSS compliance can be ignored. Encryption is just one of many requirements for protecting payment card information, (PCI DSS Requirement 3). However, by itself, encryption does not reduce the scope of PCI compliance or the risks associated with theft of the data. The main challenge with encryption is not the mathematics itself, but with the way organizations manage the keys that encrypt and decrypt the payment card data. Encryption key management is the most challenging security task for organizations. Think about managing keys in your office building—locks work great, but if keys aren’t properly managed, you lose the ability to secure access to rooms. When PCI is tokenized and stored in TokenEx Secure Cloud Data Vaults, all encryption keys are securely managed by TokenEx, relieving your organization from that task.

Validation of compliance with the PCI DSS is determined by individual payment brands. All the brands have agreed to incorporate the PCI DSS as part of the technical requirements for each of their data security compliance programs. The payment brands also recognize security assessors and approved scanning vendors qualified by the PCI Security Standards Council. The Council does not enforce compliance; this is done by individual payment brands or acquiring banks.

The TokenEx Cloud Security Platform was designed from the very beginning to tokenize any data type and interface with any payment processor, financial institution, ERP back office system, e-commerce solution, and mobile application. Tokenizing payment card data is somewhat trivial with the help of a cryptographically-secure algorithm and a bit of thought. The true challenge with tokenization of sensitive data is in the integration of a tokenization solution into your omni-channel environment. Every channel you add to your payment handling systems adds complexity, with diverse layers of technologies and customizations. That’s why you need a tokenization platform that has the flexibility to seamlessly integrate with your and your partners’ environments without disrupting current business processes.

Flexible Integration

TokenEx integrates with organizations of all sizes, degrees of complexity, and across industries. From start-ups to Fortune 10 organizations, TokenEx has the experience and knowledgebase to integrate with the technology stack that you are using to manage sensitive data. TokenEx tokenizes and securely vaults payment card information (PCI) in any channel, removing it from internal systems. The TokenEx Open Cloud Security Platform is payment processor agnostic, integrating your payment channels with any payment gateway, processor, and financial institution. The open integration capabilities of TokenEx can share tokenized data with any of the other business partners in your payment stream. It can integrate fraud prevention services, for example, to protect against fraud and chargebacks. It can integrate marketing analytics services directly into payment channels to monitor sales performance. It can integrate with booking engines to keep payment card data from entering your business systems.

Custom Integrations

Most organizations will have several different technologies in their business environment that work in unison to accept omni-channel payments. TokenEx provides integrations to the following technologies, among others, using multiple methods:

  • Enterprise Resource Planning (ERP)—Oracle, SAP, NetSuite
  • Ecommerce—Hosted iFrame, Hosted Payment Page, JavaScript Implementations, and Web Services
  • Mobile—Native Applications, Browser-based Applications
  • Contact Centers—In-house developed systems, commercial off-the-shelf systems, third-party contact center solutions, and contact center packages
  • PIN-Pad Devices—Verifone, Ingenico, Magtek, ID Tech, Grabba
  • Third-Party Hosted Solutions—WooCommerce, Shopify, WordPress
  • Payments—Payment Processors, Payment Gateways, ACH Gateways, Financial Institutions
  • Legacy Technologies—Mainframe business systems and in-house developed applications

For more information on custom integration of tokenization services for your specific business needs, please email sales@tokenex.com and describe your challenges. Remember the goal: No Data. No Theft.

How TokenEx Secures PCI

TokenEx originally focused on using tokenization and cloud data vaulting to solve the three main challenges associated with securing PCI:

  1. Auditability of the handling of payment card data
  2. Segmentation associated with systems and processes that need to interact with the data
  3. Encryption key management

TokenEx found that when these three processes are handled correctly, an organization can not only reduce its exposure to the risk of data theft, but also its PCI regulatory obligations. TokenEx accomplishes this by providing multiple ways to intercept PCI before it enters clients’ business systems, accept payment card data into secure cloud data vaults segmented by clients, and integrate those vaults with existing business processes, including Payment Gateway transactions, secure batch file processing, and integration with third-party services.

Complete Tokenization in Eight Weeks

MRC Global is the largest distributor of pipe, valve and fitting products, and services to the energy and industrial markets worldwide. A true international organization, it operates in over 44 countries. To supply the needs of these demanding hardware-intensive customers, MRC Global operates as both an e-commerce and storefront retailer, with corresponding warehousing centers and distribution networks. It manages multiple acceptance channels with diverse payment processors, navigating complex international regulations, supported by a mix of ERP software systems.

“The TokenEx Cloud Security Platform already had all the features we needed to integrate with our various systems,” says Max Grannan, MRC Global Senior IS Director of Security and Compliance. “We had some changes to make on our end, and the TokenEx Project Manager was there every step of the way to answer our detailed questions.” The project continued gaining momentum with the TokenEx Project Manager working hand in hand with the MRC Global IT team to resolve any issues during the integration.

The first phase of a tokenization project is to collect all the existing payment card data (PCI) and Personally Identifiable Information (PII) data stored in the databases, and tokenize it. The sensitive data is stored in the TokenEx Cloud Data Vaults. Only the corresponding tokens are returned to the MRC Global databases. Because there was a large number of payment account numbers, bank accounts, and customer data that had accumulated over decades of business, TokenEx also assisted in standardizing the format of the data according to best practices and cleaning up old useless data. This first phase immediately eliminates the risk involved in storing sensitive data. Should a data breach occur in the MRC Global systems, there is no valuable data to steal.

In phase two of MRC Global’s tokenization implementation, the payment streams were integrated with the TokenEx Web Services API, so that as payment data is entered at any acceptance point, it is intercepted, encrypted, sent to TokenEx for tokenizing, and the tokens returned for processing to the MRC Global financial systems. This critical integration ensures that payment data never enters the IT systems, keeping them out of the scope of PCI compliance. This is a significant cost savings, especially for an international company with the number of transactions of MRC Global. In most cases, the savings in PCI compliance—which includes auditing, testing, and upgrading both hardware and software systems to stay in compliance—pays for the tokenization services. Beyond the savings in compliance, the cost of fines resulting from stolen payment data, estimated to be $200 per PAN, is eliminated, along with legal fees, damage to customer relations, and lost business.

“Considering the global scope of our business, the number of payment acceptance channels we have, and the number of systems that process payment information, it was impressive how quickly the complete implementation went”, reflects Grannan. “All the sensitive data was out of our systems, tokenized, vaulted, and payment streams being processed by TokenEx in just eight weeks.”

To read the complete case study, click the download button.

What Are the Compliance Obligations?

The PCI DSS governs all processes that store, process, and transmit cardholder data.
However, there are three common PCI misconceptions that can inhibit compliance.

First, there is only one PCI DSS standard. However, there are two ways that a Merchant or Service Provider can validate to the standard:

  • A Self-Assessment Questionnaire (SAQ), which can be completed by internal security staff.
  • A Report of Compliance which requires a third-party Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA).

Second, there is a misconception that PCI DSS does not apply if an organization outsources its payment processing so that it does not store any payment card information in local business and IT systems. Unfortunately, even if an organization is not storing payment card data internally, the PCI DSS still applies because its business systems are processing or transmitting this data. Ultimately the organization that is accepting payments for goods and services is responsible for ensuring their own compliance and the compliance of any third-party service providers being used to in conjunction with payment card data.

Third, the use of encryption to capture and store payment card data does not mean PCI DSS compliance can be ignored. Encryption is just one of many requirements for protecting payment card information, (PCI DSS Requirement 3). However, by itself, encryption does not reduce the scope of PCI compliance or the risks associated with theft of the data. The main challenge with encryption is not the mathematics itself, but with the way organizations manage the keys that encrypt and decrypt the payment card data. Encryption key management is the most challenging security task for organizations. Think about managing keys in your office building—locks work great, but if keys aren’t properly managed, you lose the ability to secure access to rooms. When PCI is tokenized and stored in TokenEx Secure Cloud Data Vaults, all encryption keys are securely managed by TokenEx, relieving your organization from that task.

Validation of compliance with the PCI DSS is determined by individual payment brands. All the brands have agreed to incorporate the PCI DSS as part of the technical requirements for each of their data security compliance programs. The payment brands also recognize security assessors and approved scanning vendors qualified by the PCI Security Standards Council. The Council does not enforce compliance; this is done by individual payment brands or acquiring banks.

The TokenEx Cloud Security Platform was designed from the very beginning to tokenize any data type and interface with any payment processor, financial institution, ERP back office system, e-commerce solution, and mobile application. Tokenizing payment card data is somewhat trivial with the help of a cryptographically-secure algorithm and a bit of thought. The true challenge with tokenization of sensitive data is in the integration of a tokenization solution into your omni-channel environment. Every channel you add to your payment handling systems adds complexity, with diverse layers of technologies and customizations. That’s why you need a tokenization platform that has the flexibility to seamlessly integrate with your and your partners’ environments without disrupting current business processes.

Flexible Integration

TokenEx integrates with organizations of all sizes, degrees of complexity, and across industries. From start-ups to Fortune 10 organizations, TokenEx has the experience and knowledgebase to integrate with the technology stack that you are using to manage sensitive data. TokenEx tokenizes and securely vaults payment card information (PCI) in any channel, removing it from internal systems. The TokenEx Open Cloud Security Platform is payment processor agnostic, integrating your payment channels with any payment gateway, processor, and financial institution. The open integration capabilities of TokenEx can share tokenized data with any of the other business partners in your payment stream. It can integrate fraud prevention services, for example, to protect against fraud and chargebacks. It can integrate marketing analytics services directly into payment channels to monitor sales performance. It can integrate with booking engines to keep payment card data from entering your business systems.

Custom Integrations

Most organizations will have several different technologies in their business environment that work in unison to accept omni-channel payments. TokenEx provides integrations to the following technologies, among others, using multiple methods:

  • Enterprise Resource Planning (ERP)—Oracle, SAP, NetSuite
  • Ecommerce—Hosted iFrame, Hosted Payment Page, JavaScript Implementations, and Web Services
  • Mobile—Native Applications, Browser-based Applications
  • Contact Centers—In-house developed systems, commercial off-the-shelf systems, third-party contact center solutions, and contact center packages
  • PIN-Pad Devices—Verifone, Ingenico, Magtek, ID Tech, Grabba
  • Third-Party Hosted Solutions—WooCommerce, Shopify, WordPress
  • Payments—Payment Processors, Payment Gateways, ACH Gateways, Financial Institutions
  • Legacy Technologies—Mainframe business systems and in-house developed applications

For more information on custom integration of tokenization services for your specific business needs, please email sales@tokenex.com and describe your challenges. Remember the goal: No Data. No Theft.

How TokenEx Secures PCI

TokenEx originally focused on using tokenization and cloud data vaulting to solve the three main challenges associated with securing PCI:

  1. Auditability of the handling of payment card data
  2. Segmentation associated with systems and processes that need to interact with the data
  3. Encryption key management

TokenEx found that when these three processes are handled correctly, an organization can not only reduce its exposure to the risk of data theft, but also its PCI regulatory obligations. TokenEx accomplishes this by providing multiple ways to intercept PCI before it enters clients’ business systems, accept payment card data into secure cloud data vaults segmented by clients, and integrate those vaults with existing business processes, including Payment Gateway transactions, secure batch file processing, and integration with third-party services.

Complete Tokenization in Eight Weeks

MRC Global is the largest distributor of pipe, valve and fitting products, and services to the energy and industrial markets worldwide. A true international organization, it operates in over 44 countries. To supply the needs of these demanding hardware-intensive customers, MRC Global operates as both an e-commerce and storefront retailer, with corresponding warehousing centers and distribution networks. It manages multiple acceptance channels with diverse payment processors, navigating complex international regulations, supported by a mix of ERP software systems.

“The TokenEx Cloud Security Platform already had all the features we needed to integrate with our various systems,” says Max Grannan, MRC Global Senior IS Director of Security and Compliance. “We had some changes to make on our end, and the TokenEx Project Manager was there every step of the way to answer our detailed questions.” The project continued gaining momentum with the TokenEx Project Manager working hand in hand with the MRC Global IT team to resolve any issues during the integration.

The first phase of a tokenization project is to collect all the existing payment card data (PCI) and Personally Identifiable Information (PII) data stored in the databases, and tokenize it. The sensitive data is stored in the TokenEx Cloud Data Vaults. Only the corresponding tokens are returned to the MRC Global databases. Because there was a large number of payment account numbers, bank accounts, and customer data that had accumulated over decades of business, TokenEx also assisted in standardizing the format of the data according to best practices and cleaning up old useless data. This first phase immediately eliminates the risk involved in storing sensitive data. Should a data breach occur in the MRC Global systems, there is no valuable data to steal.

In phase two of MRC Global’s tokenization implementation, the payment streams were integrated with the TokenEx Web Services API, so that as payment data is entered at any acceptance point, it is intercepted, encrypted, sent to TokenEx for tokenizing, and the tokens returned for processing to the MRC Global financial systems. This critical integration ensures that payment data never enters the IT systems, keeping them out of the scope of PCI compliance. This is a significant cost savings, especially for an international company with the number of transactions of MRC Global. In most cases, the savings in PCI compliance—which includes auditing, testing, and upgrading both hardware and software systems to stay in compliance—pays for the tokenization services. Beyond the savings in compliance, the cost of fines resulting from stolen payment data, estimated to be $200 per PAN, is eliminated, along with legal fees, damage to customer relations, and lost business.

“Considering the global scope of our business, the number of payment acceptance channels we have, and the number of systems that process payment information, it was impressive how quickly the complete implementation went”, reflects Grannan. “All the sensitive data was out of our systems, tokenized, vaulted, and payment streams being processed by TokenEx in just eight weeks.”

To read the complete case study, click the download button.

Secure Your PCI Today!

Contact us to learn how TokenEx can help tokenize your sensitive business data.