A Retailer's Guide to Compliance-Enabling Payment Technologies

In an effort to help merchants both achieve and maintain payment card industry (PCI) compliance, technologies for cardholder data security have become more prevalent. Merchants should view PCI compliance as an ongoing business requirement with continuously evolving needs and mandated changes, not just a one-time, stand-alone IT issue.

There's no quick-fix approach to both achieving and maintaining compliance. It's an ongoing process that begins at the strategic level. Retailers must address both the business side (i.e., process and payment flow) and the appropriate technological counterpart. Compliance-enabling technologies are a good place to start when it comes to the latter.

A compliance-enabling technology is any product or service that assists in reducing the scope of PCI requirements. While it's not a PCI requirement and it doesn't replace the standards mandated by the PCI Security Standards Council (PCI SSC), it is a long-term solution that if implemented correctly could make it both cheaper and easier to maintain compliance. Consider the following examples:

Masking
This refers to the use of replacement data to obscure or replace the primary account number (PAN). The PCI data security standard (DSS) allows retailers to display the first six and the last four characters of a credit card number. With a masking functionality, the middle six numbers are substituted with a string of replacement characters that can be either random or fixed. Primarily used as a display technology, the underlying data is still stored but is unable to be seen. This reduces the scope of PCI exposure by eliminating the display of the full PAN. The unmasked data may still be displayed to other users with a business need to know and the stored data is still subject to the PCI DSS requirements.

Virtual Terminal
With this technology, cardholder data is captured and stored at a third-party location via an authenticated website with an SSL-encrypted communication link. Ideal for card-not-present and e-commerce environments, virtual terminal solutions are used for call centers and customer self-service. They also have the built-in functionality to integrate successfully with point-of-sale terminals and magnetic stripe readers to support card-present payment options.

Ultimately, there's only one solution when it comes to completely eliminating the scope of PCI compliance — stop accepting credit cards altogether. This isn't a realistic approach for retailers in today's payment environment who must balance customer convenience against the need for compliance within their organization. How you integrate and accommodate these technologies will depend on your business, your culture and your revenue models. Compliance-enabling technologies serve as a viable long-term solution to reduce the scope of PCI requirements and impact to your business.

Tokenization
This is the process of replacing a PAN with alternative identifiers (i.e., tokens). The card number is first passed through the interchange process via the issuing bank and payment brand as it is today. A token that replaces the card number is then returned to the merchant for use in a more secure manner with a reduced scope of PCI exposure. This functionality primarily addresses cardholder data storage, as the cardholder number is replaced with a character string that can be used for processing and data transmission. Thus if a breach did occur, cardholder information wouldn't be vulnerable to exposure.