PCI Tokenization

Data - PCI Tokenization


Payment Card Information

What is PCI?

The Payment Card Industry (PCI) Council is the governing body of the PCI Data Security Standard (PCI DSS). PCI DSS documents the standards that govern how organizations need to protect Cardholder Information, Primary Account Numbers, and other PCI-related data. Depending on their business processes, organizations employ various technologies and strategies for processing credit card payments, from card readers at brick and mortar stores to online web shopping carts, to batch processing and call centers. Payment card transactions are further divided into card present and card not present (CNP) cases, with their own rules and regulations. These various methods of accepting and processing payments can employ encryption, tokenization, and third-party processing services to ensure proper handling of the transactions.

Download MRC Global Case Study

What are the compliance obligations?

PCI DSS governs all processes that receive, store, process, and transmit cardholder data.
There are three common PCI misconceptions.

First, there is only one PCI DSS standard. However, there are several ways that a Merchant or Service Provider can validate to the standard. Validations include a Self-Assessment Questionnaire (SAQ), which can be completed by internal staff or an Attestation of Compliance which requires a Qualified Security Assessor (QSA).

A second misconception is that PCI DSS does not apply if an organization outsources its payment processing so that it does not store any card information in local business and IT systems. Unfortunately, even if an organization is not storing PCI on-premise, PCI DSS still applies because its business systems are transmitting that information to a third party. Ultimately the organization accepting payments for goods and services is responsible for ensuring that the third party processing the transactions is PCI compliant.

Third, the use of encryption to capture and store PCI does not mean PCI compliance can be ignored. Encryption is actually a requirement for protecting the payment card information and depending on implementation does not reduce the scope of the risk associated with the data. The main challenge with encryption is not the mathematics itself, but with the way organizations manage the keys that lock and unlock data encryption. Encryption key management is the most challenging problem for organizations to manage. Think about managing keys in your office building. Locks work great, but if keys aren’t properly managed, you lose the ability to control access to the rooms.

How TokenEx secures PCI

TokenEx originally focused on solving the three main challenges associated with securing Cardholder Data with tokenization: 1. the auditability of handling Cardholder Data; 2. segmentation associated with systems and processes that need to interact with the data; and 3. encryption key management. TokenEx found that if these are handled appropriately, an organization can not only reduce its risk exposure but also its regulatory obligations. TokenEx accomplishes this by providing multiple ways to accept Cardholder Data into clients’ secure data vaults, and also how they can use those vaults to accomplish their business processes: from Payment Gateway transactions to secure batch file processing, and integration with third-party services such as fraud detection.

Examples of PCI Tokenization

Clients’ can leverage TokenEx’s Hosted Payment Page to create a seamless customer experience in a fully audited PCI, SOC2, and CSA environment. This minimizes the scope and cost of PCI compliance and enables clients to focus on their core business. Our Browser-based Encryption and web services API intercepts, encrypts, and tokenizes incoming CNP payments so that payment data never enters the business environment. For payment processing, a client can use our gateway processing facilities and have transparent access to multiple providers, offering flexibility in payment processing services and interchange fees.