Live Webcasts
Live Webcasts

What keeps you up at night webinar series

Join us every month to discuss top business challenges.

Tag Archives: PCI compliance

5 Steps to Reduce PCI DSS Scope

Because the scope of PCI DSS requirements can be so large and complicated, companies are constantly searching for ways to reduce and even eliminate it. Below are five ways businesses can potentially reduce the size of their PCI DSS scope.

  1. Consolidation:Identifying and eliminating redundant data sets and consolidating applications and information storage can reduce scope.
  2. Centralization:Encrypted data stored in a highly secure on-site central data vault. The payment card numbers are replaced with tokens in other applications or databases. Since cardholder data is only stored in one central location, PCI DSS Scope is minimized
  3. End-To-End Encryption (E2EE) or Point-To-Point Encryption (P2PE):Ensures that card numbers are encrypted from first card swipe at the point-of-sale (POS), and while in transit all the way to the payment processor eliminating most PCI requirements.
  4. Outsourcing:Outsourcing all or some of your payment card processing capabilities to a PCI DSS compliant service provider can reduce PCI scope. This is especially relevant to companies conducting eCommerce transactions only.
  5. Tokenization:Stores card numbers and other sensitive data such as social security numbers in an off-site highly secure data vault. The payment card numbers are replaced with tokens in all other databases and applications. Not storing cardholder data anywhere greatly simplifies the scope of PCI Requirement.

These 5 steps can simplify PCI compliance for POS-centric and card-not-present (CNP) environments, but choosing the best method for your company will depend on the level of security you are looking to achieve. For example, the first two techniques mentioned will minimize the scope of PCI Requirement 3, but will not eliminate it. Card numbers will still be stored on-site, giving access to all sensitive data if a hacker does decrypt your information.

Your next layer of protection will be utilizing a third party tokenization solution. Tokenization is a solution that affords business the opportunity to eliminate the storage and/or transmission of cardholder data in enterprise systems and applications. Implementing tokenization can make reaching compliance much easier than replacing an existing application with a PA-DSS compliant one, according to Verizon’s Business report.

If you are searching for the complete package, a combination of a third party tokenization and a point-to-point encryption P2PE solution will get you closest to completely eliminating your PCI scope depending on your current payments landscape. Utilizing P2PE will remove your entire network and PCs by tokenizing card numbers before they ever touch your network.

If you have questions regarding PCI DSS Compliance or Tokenization solutions, please contact us to schedule a time to speak with one of our Payments Industry Experts.

 

 

tokenization

Beyond PCI with Tokenization: Next Generation Security

Recently, tokenization has gained widespread attention as one of the most effective solutions organizations can implement to protect sensitive cardholder data. Though encryption is a prevailing security solution as well, there are vast differences among the two solutions that may or may not be a good fit for your organization’s needs.

With traditional encryption, there are three common challenges that grow exponentially more difficult for organizations that have payment data in multiple, disparate systems. Those challenges are cost, key management, and application integration. Tokenization helps solve these challenges.

Many people view the core definition of tokenization as the substitution of a credit card number for a meaningless replacement value that has no intrinsic value to criminals on the black market. But what is tokenization, really? A token can be thought of as a reference or pointer to a credit card number, without actually having to handle the credit card number. The bottom line is that tokenization is an evolution of the better known, but lesser qualified, traditional encryption. With tokenization, sensitive data is completely removed from enterprise systems. And, as an added bonus, the technology is complimentary to ERP systems.

Drilling deeper, tokenization affords companies that opportunity to eliminate the storage of sensitive information. This technology intercepts cardholder data entered into an enterprise payment acceptance system like a web store, CRM, ERP or POS, and replaces it with a surrogate number known as a token – a unique ID created to replace the actual data associated with a specific card number. This makes tokenization security best in class regarding data security. More than 25 percent of Gartner clients have already adopted payment card tokenization to reduce the scope of their PCI assessments, and three out of four clients calling about PCI inquire about tokenization.

By ensuring that business applications, systems and infrastructure are processing randomly generated numbers instead of regulated cardholder data, organizations can drastically reduce the controls, processes and procedures needed to comply with PCI DSS. This is particularly true if tokenization is provided to merchants as a service from a third party that maintains data management.

The task for merchants is to find an electronic payment security solution that integrates into existing workflows while also:

  • Protecting sensitive cardholder data
  • Achieving and maintaining PCI DSS compliance
  • Reducing the scope of compliance
  • Conducting business as usual
  • Deploying in a cost-effective manner

Click here to learn more about Paymetric’s data security solutions, or contact us.

PCI-DSS-Security

5 Ways Businesses Can Reduce PCI DSS Scope

Because the scope of PCI DSS requirements can be so large and complicated, companies are constantly searching for ways to reduce and even eliminate it. Below are five ways businesses can potentially reduce the size of their PCI DSS scope.

  1. Consolidation: Identifying and eliminating redundant data sets and consolidating applications and information storage can reduce scope.
  2. Centralization: Encrypted data is stored in a highly secure on-site central data vault. The payment card numbers are replaced with tokens in other applications or databases. Since cardholder data is only stored in one central location, PCI DSS Scope is minimized
  3. End-To-End Encryption (E2EE) or Point-To-Point Encryption (P2PE): Ensures that card numbers are encrypted from first card swipe at the point-of-sale, and while in transit all the way to the payment processor and eliminates most PCI requirements.
  4. Outsourcing: Outsourcing all or some of your payment card processing capabilities to a PCI DSS compliant service provider can reduce PCI scope. This is especially relevant to companies conducting eCommerce transactions only.
  5. Tokenization: Stores card numbers in an off-site highly secure data vault. The payment card numbers are replaced with tokens in all other databases and applications. Not storing cardholder data anywhere greatly simplifies the scope of PCI Requirement.

All of the techniques outlined above are sound ways to reduce PCI DSS scope. Depending on the individual company’s payment acceptance environment, some of these may or may not be appropriate strategies. For instance, E2EE/P2PE is a great technology, but it is highly POS-centric. In card-not-present (CNP) environments, E2EE/ P2PE is difficult to achieve because card numbers must be manually entered into merchant systems and applications.

If a merchant were to have both card present and CNP payment acceptance landscapes, E2EE/P2PE and tokenization are a great tandem solution. But it’s important to understand that with centralization, card numbers are still stored on site, minimizing the scope of PCI Requirement 3, but not eliminating it.

Outsourcing Tokenization

The PCI DSS scope reduction technique that works best for most CNP merchants is a combination of the outsourcing and tokenization techniques described above. Tokenization is a solution that affords businesses the opportunity to eliminate the storage and/or transmission of cardholder data in enterprise systems and applications. Implementing tokenization can make reaching compliance much easier than replacing an existing application with a PA-DSS compliant one, according to a recent Verizon Business report.

To find out how your organization can simplify and reduce the scope of the Payment Card Industry’s Data Security Standard (PCI DSS) and benefit from outsourcing tokenization technology, please contact us.

Image about PCI compliance and data security webinar by Paymetric

Upcoming Webinar: Keeping Your SAP System Fully Compliant and Secure

Join us on October 23, 2014 at 1:00 pm ET for an expert webinar as we uncover the growing risks associated with storing sensitive card data in your internal merchant systems and how you can simplify the process of protecting your customer’s data – reducing risks and keeping your systems PCI compliant and secure.

In this webinar, you will learn:

  • Common data security challenges faced by companies in their SAP systems
  • Best practices when dealing with RAW card numbers
  • How Paymetric’s XiIntercept solution can be put to use in your SAP environment
  • How to train your users to keep your system compliant

Presented by: Eric Bushman, Vice President, Solutions Engineering, Paymetric

Register today to learn more!

Paymetric Case Study: Burton Snowboards

Issue: A pioneer in the snowboarding industry, Burton was in need of a PCI compliant payment acceptance solution that integrated with SAP Business Suite as well as solved non-integration challenges with split orders, manual entry error, delivery without guarantee of payment, workflow delays, downgrade possibilities, late fees and data security issues.

Solution: Paymetric’s XiPay® On-demand is a Software-as-a Service (SaaS) solution that enables companies to manage, accept and integrate virtually every type of electronic payment in any enterprise system where payment is accepted.

XiSecure® On-demand is Paymetric’s award-winning tokenization solution that eliminates the transmission and storage of sensitive cardholder data.

Results: With XiPay On-demand and XiSecure On-demand, Burton was able to:

• Optimize payment acceptance and minimize cost and risk
• Reduce the cost and scope of a PCI DSS audit
• Eliminate expired authorizations and reconcile hassles
• Reduce bad debt
• Prevent manual errors

 

“"
Thank you for visiting our site, due to the size of your mobile device, you need to rotate it 90° to view this site.