epayment and data security how tokenization minimizes risk ...€¦ · epayment and data security...
TRANSCRIPT
ePayment and Data Security
How tokenization minimizes risk and
PCI DSS audit scope
paymetric.com
1
1 in 5 CHANCE
2 3
Organizations have more than a 1-IN-5 CHANCE of
experiencing a data breach in the NEXT 24 MONTHS,
according to the Ponemon Institute.
To keep payment card data safe, merchants must follow the
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS).
These guidelines are sound, but costly to achieve.
To minimize both the risk of a breach and the scope and cost
of a PCI DSS audit, merchants can keep card numbers out of their ERP systems by using TOKENIZATION
from PCI-compliant vendors.
ePayment and Data Security
2
Risk and cost can be minimized
Processor
Merchant
Customer
1234
Payment Service Providers
This diagram shows how an ePayment solution prevents raw card numbers (1234) from ever entering a merchant’s system. When a field comes up for raw card number entry, the ePayment solution opens a secure browser field, captures the number outside of the merchant’s ERP application, retrieves and stores it securely, and returns a (token) in its place.
This enables the application to contain no usable credit card numbers, only tokens. This reduces the number of audit items by 60 percent, saving significant cost and time. An environment without raw credit card numbers may qualify for Self Assessment Questionnaire (SAQ) C with 139 questions instead of SAQ D with 326 questions. And unlike an encrypted card number, a token can’t be reverse-engineered to reveal the actual card number.
Tokenization replaces a credit card number with a randomly generated
code (token) of no value to hackers.
1234
T
T
ePayment and Data Security
3
T
Tokenization and how it works
Choose the right type of tokenizationWhich type of ePayment tokenization fits your needs best?
Type On-Premise Hosted Cloud
Location All hardware and software in merchant’s environment; self-maintained
Private cloud on hosted equipment
Multi-tenant1
Cost Capital investment plus ongoing operating expenses
Monthly rental and leasing fees Monthly fee can save up to 88%2
PCI DSS audit scope responsibility
Merchant Merchant Payment system vendor
Scalability Must procure and deploy new assets
Must procure and deploy new assets
Scale on demand, faster
Redundancy Varies—depends on merchant Single instance, replicated through managed services
Built-in and designed to occur without interruption
Backup and recovery
Varies—depends on merchant Varies—depends on merchant/vendor
1 Research shows that on-premises solutions are attacked more often than cloud solutions. SaaS cloud providers tend to invest more in security and keep it current. The Payment Card Security Council (PCI) encourages the use of third-party service providers, and the cloud has been adopted by Paypal, Google, Apple, Amazon and more.
2 The cloud can reduce costs as much as 88 percent according to a study sponsored by service provider Rackspace, boosting the ability of IT teams to focus on innovation rather than maintenance.
ePayment and Data Security
4
Other considerations when choosing tokenization
Get processor-agnostic tokenization to keep options open as you acquire companies or enter new geographies.
Select multi-use instead of single-use tokenization, enabling the same token to be used for all transactions with a card. This streamlines reporting and makes customer service simpler.
Use the same form of tokenization in both QA and production. Some soutions suggest or require single-use for QA and multi-use for production, but this technically means testing occurs in production.
Choose a vendor that owns the tokenization technology rather than a re-seller. This ensures on-demand, fully dedicated support.
average spent annually on PCI audit (Ponemon Institute)
1
2
3
4
5
ePayment and Data Security
$225,000 to $500,000
Best practices in deploying tokenization Identify risk workflows. Map every process that includes sensitive card information.
Convert to tokens. Tokenize sensitive raw or encrypted data in the ERP database, then go back and purge raw and encrypted data to reduce risk and minimize PCI audit scope.
Block users from viewing de-tokenized card numbers in applications by deactivating this capability. Enable authorized users (if needed) to see raw card numbers only in the ePayment system-reporting portal, outside ERP.
Train users not to enter raw card numbers in text fields by reminding them that text fields can’t be tokenized. Also remind them that card numbers in an ERP system bring that application into scope for PCI audits.
Prevent storage of CVV value. Apply any relevant patches required to ensure that CVV information is not stored in the ERP database, because this is strictly prohibited under PCI DSS and significantly increases risks and cost.
1
2
3
4
5
ePayment and Data Security
6
Criteria for choosing an ePayment Provider
Keep these factors in mind when evaluating an ePayment data security vendor:
Functionality
Scalability
Mission-focus on data security
Investment in R&D
Reputation
Financial stability
Cost-efficiency
To learn more:See how Paymetric’s XiSecure® keeps sensitive cardholder data from your ERP system by leveraging a patented, on-demand tokenization solution.
1
2
3
4
5
6
7
50%of American households have had payment card details stolen in a data breach*
Almost
7
* Wall Street Journal/NBC News Poll
ePayment and Data Security
About PaymetricPaymetric, Inc. is the global leader in integrated and secure electronic payment solutions for the enterprise to enable
companies to streamline the order-to-cash process, reduce the scope and financial burden of achieving PCI compliance
and improve return on electronic payment acceptance. Paymetric is a recognized industry leader with award winning
solutions and world class client service.
©2015 Paymetric, Inc. All rights reserved. The names of third parties and their products referred to herein may be trademarks or registered trademarks of such third parties. All information provided herein is provided “AS-IS” without any warranty.
Contact Paymetric at [email protected] or 1-855-476-0134 to learn more. paymetric.com