Insight for Retailers: Compliance-Enabling Payment Technologies

By David Wallace

From an operational aspect, it's important that merchants understand the risks that come with adopting tokens that closely mirror an actual card number (tokens generated using format-preserving encryption). With this, there's a potential for collision — generating a token that matches an already existing and valid card number. Consequently, tokenization service providers, including Chase Paymentech, often use a 40-character string for their tokens. The PCI SSC has just released its tokenization guidelines, which can assist you when determining the right tokenization provider.

For those merchants interested in tokenization, it's important to understand that tokenization generally occurs after authorization and therefore doesn't address the initial acceptance process. As a result, online retailers are still in scope for PCI during this part of the transaction process. An effective solution to minimize this exposure is to outsource it to a third-party provider via a hosted pay page (HPP). Alternatively, card-present merchants can significantly reduce PCI scope by investing in a point-to-point encryption solution.

Hosted Pay Page
This can take the form of either a separate web page or individual order fields that redirect customers to a secure site to enter their confidential payment data. The page or pages have the same look and feel of the merchant's own website, but are hosted by a trusted third-party provider. In this scenario, the merchant processes or transmits cardholder data. HPP coupled with tokenization can successfully reduce PCI scope at both the acceptance and storage level.

It's important that merchants realize they're still technically at risk for PCI exposure should a breach occur, even if they don't ever see a credit card number. As long as credit cards are accepted for the purchase of goods or services, the authorization and settlement process still enables the potential of a data compromise. It's recommended that merchants using this combination refer to the PCI self-assessment questionnaire in order to verify their compliance status.

Point-to-Point Encryption (P2PE)
This is a card-present compliance-enabling technology whereby the cardholder data is encrypted from the point at which the transaction is captured to the point that it reaches the acquirer for processing. However, an encrypted PAN is still considered cardholder data under PCI as long as the merchant has access to the decryption keys. P2PE reduces the scope of PCI in the merchant's environment by meeting all of the following criteria:

the cardholder data is encrypted at swipe;
decryption occurs outside the merchant environment; and
no decryption functionality exists within the merchant environment.

Assuming all these criteria are met and no other cardholder data is stored, processed or transmitted anywhere in the merchant environment, the merchant has then successfully reduced the PCI scope.

While no process or technology can ultimately guarantee compliance, compliance-enabling technologies are excellent tools for reducing your PCI DSS compliance scope. In addition to simplifying the difficult task of maintaining compliance over the long term, they also have the potential to reduce the cost and time required to achieve it.

No process or technology can guarantee PCI DSS compliance or remove a retailer's responsibility for PCI DSS compliance. Always evaluate your business processes in light of the PCI DSS requirements and eliminate cardholder data when possible. Once this has been accomplished, these technologies can be implemented as a means of significantly reducing PCI scope and adding another layer of protection to sensitive cardholder data.

David Wallace is group manager for Chase Paymentech's merchant compliance team.