What are the compliance obligations?
PCI DSS governs all processes that receive, store, process, and transmit cardholder data.
There are three common PCI misconceptions.
First, there is only one PCI DSS standard. However, there are several ways that a Merchant or Service Provider can validate to the standard. Validations include a Self-Assessment Questionnaire (SAQ), which can be completed by internal staff or an Attestation of Compliance which requires a Qualified Security Assessor (QSA).
A second misconception is that PCI DSS does not apply if an organization outsources its payment processing so that it does not store any card information in local business and IT systems. Unfortunately, even if an organization is not storing PCI on-premise, PCI DSS still applies because its business systems are transmitting that information to a third party. Ultimately the organization accepting payments for goods and services is responsible for ensuring that the third party processing the transactions is PCI compliant.
Third, the use of encryption to capture and store PCI does not mean PCI compliance can be ignored. Encryption is actually a requirement for protecting the payment card information and depending on implementation does not reduce the scope of the risk associated with the data. The main challenge with encryption is not the mathematics itself, but with the way organizations manage the keys that lock and unlock data encryption. Encryption key management is the most challenging problem for organizations to manage. Think about managing keys in your office building. Locks work great, but if keys aren’t properly managed, you lose the ability to control access to the rooms.
How TokenEx secures PCI
TokenEx originally focused on solving the three main challenges associated with securing Cardholder Data with tokenization: 1. the auditability of handling Cardholder Data; 2. segmentation associated with systems and processes that need to interact with the data; and 3. encryption key management. TokenEx found that if these are handled appropriately, an organization can not only reduce its risk exposure but also its regulatory obligations. TokenEx accomplishes this by providing multiple ways to accept Cardholder Data into clients’ secure data vaults, and also how they can use those vaults to accomplish their business processes: from Payment Gateway transactions to secure batch file processing, and integration with third-party services such as fraud detection.
Examples of PCI Tokenization
Clients’ can leverage TokenEx’s Hosted Payment Page to create a seamless customer experience in a fully audited PCI, SOC2, and CSA environment. This minimizes the scope and cost of PCI compliance and enables clients to focus on their core business. Our Browser-based Encryption and web services API intercepts, encrypts, and tokenizes incoming CNP payments so that payment data never enters the business environment. For payment processing, a client can use our gateway processing facilities and have transparent access to multiple providers, offering flexibility in payment processing services and interchange fees.