tokenization amplified – xiintercept for sap · 2020-05-01 · tokenization amplified –...
TRANSCRIPT
Tokenization Amplified – XiIntercept for SAPHow to minimize the impact of the payment card industry data security standards (PCI DSS) and reduce risk
Paymetric | White Paper | Tokenization Amplified – XiIntercept for SAP 2
Table of Contents
Executive Summary 3
PCI DSS 3
The PCI Audit Process 4
PCI DSS Scoping 6
Tokenization and the Elimination of Scope from PCI Requirement 3 6
Tokenization Amplified – Introducing XiIntercept, the Ultimate Scope Reduction Mechanism 9
XiIntercept for eCommerce 10
XiIntercept for SAP 11
XiIntercept Stand-alone 12
Benefits of XiIntercept 12
Conclusion 12
About Paymetric 13
Paymetric | White Paper | Tokenization Amplified – XiIntercept for SAP 3
Executive SummaryThe Payment Card Data Security Standards (PCI
DSS) have presented a significant challenge for
merchants over the past few years. Maintaining
compliance with PCI DSS requirements is time-
consuming and extremely costly. That is why
merchants are continuously seeking ways to
reduce or eliminate their internal systems from
PCI scope; but one approach, which seems to
stand out the most, is tokenization.
Tokenization has increasingly been used to
help merchants reduce the scope of PCI DSS
compliance, particularly requirement 3. It has
been difficult for merchants to find scope
reduction anywhere beyond that until now –
introducing XiIntercept™ Solutions: Tokenization
Amplified.
PCI DSS
Prior to 2004, each card brand had a unique security
program that merchants were required to adhere to
including: the Visa’s Card Information Security Program, the
MasterCard’s Site Data Protection, American Express’s Data
Security Operating Policy, Discover’s Card Information and
Compliance and the JCB Data Security Program. These five
card brands realized it was becoming very confusing for
merchants to comply with multiple regulations and decided
to develop a uniform security standard, now known as the
Payment Card Industry Data Security Standard (PCI DSS),
released in December 2004.
In 2006, the Payment Card Industry Security Standard
Council (PCI SSC) was formed as a joint venture between
American Express, Discover Financial Services, JCB
International, MasterCard Worldwide and Visa. The PCI
SSC’s goal is to facilitate the broad adoption of consistent
data security measures and is responsible for the
development, management, education and awareness of
the PCI Standards including PCI DSS.
PCI DSS is a set of constantly evolving requirements
intended to help organizations proactively protect customer
account data. Any organization that processes, stores or
transmits cardholder data is required to comply with PCI
DSS. That means even if you process one transaction,
you must be PCI compliant. Failure to do so may result in
fines and the loss of a merchant’s license to accept card
payments.
The standard is organized into six governing principles that
contain a total of 12 requirements. Figure 1 illustrates these
requirements.
There are several methods to reducing PCI
DSS scope, but one, which seems to stand
out the most, is tokenization.
Paymetric | White Paper | Tokenization Amplified – XiIntercept for SAP 4
Figure 1: The Payment Card Industry Data Security Standards
All PCI DSS eligible organizations are required to certify
compliance on an annual basis, but that does not mean
merchants should think about PCI DSS as a point-in-time
validation. Compliance with PCI DSS should become part of
a company’s ongoing, daily security strategy and requires
constant attention. The requirements outlined by PCI DSS
are sound guidelines, but they can be quite onerous to
achieve. Companies are increasingly looking for ways to
outsource all or some of their payment card processing
components to PCI compliant vendors in an effort to limit
scope of these requirements and the associated cost and
effort that comes with maintaining them.
The PCI Audit Process
The PCI audit process was designed to assist merchants in
validating their compliance with PCI DSS. Depending upon
the individual company’s electronic payment acceptance
environment, the way in which PCI DSS validation is
handled will differ. Merchants that process over six million
credit card transactions a year must complete an annual on-
site review performed by a third party QSA (Quality Security
Assessor). Any system or component of that system which
is related to authorization and settlement of cardholder
data is in scope for compliance validation procedures.
Principle Requirement
Build and Maintain a Secure Network1. Install and maintain a firewall configuration
2. Do not use vendor-supplied defaults for system passwords
Protect Cardholder Data3. Protect stored cardholder data
4. Encrypt transmission of cardholder data
Maintain a Vulnerability Management Program5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks10. Track and monitor all access to network resources and card data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security
Paymetric | White Paper | Tokenization Amplified – XiIntercept for SAP 5
Figure 2: Systems in Scope for On-Site AuditMerchants that process more than six million transactions per year must complete an on-site audit annually performed by a third party QSA. Any systems,
or their associated components, involved in the processing, storage or transmission of cardholder data are considered in scope for the PCI DSS Audit.
Examples of systems in scope for an on-site audit:
Companies that process less than six million transactions per year, Level 2 through 4 in Figure 3 below, have the
opportunity to self assess their compliance with PCI DSS. These merchants are eligible to complete a self-assessment
questionnaire (SAQ) and the appropriate attestation document that is provided to the acquirer to validate PCI compliance.
There are five SAQ validation types based on how the merchant accepts electronic payments. SAQ A is least invasive and
only contains 13 questions while SAQ D is most invasive requiring 288 items to be validated.
Figure 3: SAQ Validation Categories
Examples of Systems in Scope for an On-site Audit:
All external connections into the merchant network (e.g., employee remote access, payment card company, third party
access for processing and maintenance)
All connections to and from the authorization and settlement environment (e.g., connections for employee access or for
devices such as firewalls and routers)
Any data repositories outside of the authorization and settlement environment where more than 500,000 account
numbers are stored. Even if some data repositories or systems are excluded from the audit, the merchant is still
responsible for ensuring that all systems that store, process or transmit cardholder data are compliant with PCI DSS
A POS environment – the place where a transaction is accepted at a merchant location (retail store, restaurant, hotel
property, gas station, supermarket or other POS location)
If there is no external access to the merchant location (by Internet, wireless, virtual private network (VPN), dial-in,
broadband or publicly accessible machines such as kiosks), the POS environment may be excluded
SAQ Validitaion
TypeSAQ Validation Type, Description & SAQ SAQ
1Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder
data functions outsourced. This would never apply to face-to-face merchants A
2 Imprint-only merchants with no electronic cardholder data storage B
3Merchants using only web-based virtual terminals, no electronic cardholder data
storageC-VT
4Merchants with payment application systems connected to the Internet, no
electronic cardholder data storageC
5All other merchants (not included in Types 1-4 above) and all service providers
defined by a payment brand as eligible to complete an SAQD
Paymetric | White Paper | Tokenization Amplified – XiIntercept for SAP 6
PCI DSS Scope
Because the scope of the PCI DSS requirements can be so
large and complicated, companies are constantly searching
for ways to reduce and eliminate any effort possible. The
great news is that there are multiple ways businesses can
potentially reduce the size of their PCI DSS scope.
All of the techniques outlined above are sound ways
to reduce PCI DSS scope. Depending on the individual
company’s payment acceptance environment, some
of these may or may not be appropriate strategies. For
instance, P2PE (Point to Point Encryption) is a great
technology, but is highly POS-centric. In card-not-present
(CNP) environments, P2PE is difficult to achieve because
card numbers must be manually entered into systems and
applications. If a merchant were to have both card present
and CNP payment acceptance landscapes, P2PE and
tokenization would likely be a great tandem solution. But
it is important to understand that with centralization, card
numbers are still stored on site, minimizing the scope of PCI
Requirement 3, but not eliminating it.
Tokenization and the Reduction of Scope From PCI Requirement 3
The PCI DSS scope reduction technique that works best
for most CNP merchants is a combination of outsourcing
and tokenization techniques described above. Tokenization
is a solution that affords businesses that opportunity to
eliminate the storage and/or transmission of cardholder
data in enterprise systems and applications.
More than 25 percent of Gartner clients have already
adopted a payment card tokenization solution to reduce
the scope of their PCI assessments, and three out of
four clients calling about PCI inquire about tokenization.
Because tokenization is delivered on-demand, it is
extremely affordable compared to the investment
businesses would have to make in costly on-premise
encryption solutions. Additionally, Gartner research
validates this stating one attractive and viable way for most
companies to limit overall compliance costs is to reduce the
scope of the PCI audit by tokenizing card data. 2
1 “Choosing a Tokenization Vendor for PCI Compliance,” Gartner – Avivah Litan
2 “Choosing a Tokenization Vendor for PCI Compliance,” Gartner – Avivah tan
Paymetric | White Paper | Tokenization Amplified – XiIntercept for SAP 7
Tokenization works by replacing cardholder data entered
into enterprise systems or applications with a surrogate
value known as a token. A token is a unique ID created
to reference the original data. The original data is stored
off-site in a secure data vault with reference to token. The
merchant no longer possesses sensitive cardholder data
and the token can be passed throughout systems in the
enterprise to meet the demands of customer interactions
and support analytics without disruption of day-to-day
business activities. In the event of a data security breach,
tokens cannot be reverse engineered to retrieve the
original number and are thus useless to thieves.
Tokenization not only protects businesses from a data
security breach, but also helps reduce the scope of PCI
compliance, particularly requirement 3. PCI Requirement 3
mandates the protection of stored cardholder data. Prior
to the advent of tokenization, most companies leveraged
encryption solutions to protect stored cardholder data.
However, merchants increasingly understand the cost and
risk advantages associated with not storing data internally
with the added benefit of limiting PCI compliance and
scope.
Figure 4: Before TokenizationIf a tokenization solution is not utilized, merchants are forced to deploy costly encryption solutions to protect cardholder data. Encryption and key
management technology must be implemented on each system where the numbers are stored. As the data passes between system components, it
must go through the dreaded encrypt, decrypt, re-encrypt process because keys cannot be shared. This method exposes the raw card number in transit,
thereby increasing risk.
Mer
chan
t
CSR TakesOrder
SAP CRM
Web Store Order
Sales & Distribution
Finance Processor Issuing Bank
1234
1234
1234
1234
1234
123412341234
Authorization
Encrypted
Settlement
Authorization
1234
Paymetric | White Paper | Tokenization Amplified – XiIntercept for SAP 8
When companies utilize encryption, their systems remain
in scope for PCI DSS because encrypted cardholder data is
still considered PAN (Personal Account Numbers) – a more
costly and time-consuming scenario. In addition, because
encryption technology is key-based, if a breach were
to occur it is feasible that the criminal could get access
to each and every payment card number stored in that
system. Not only would that be costly to deal with, but it
would also be extremely damaging to a company’s brand.
The bottom line is that encryption solutions still leave
systems vulnerable to attack.
FIGURE 5: After TokenizationWith tokenization deployed, sensitive cardholder data is neither transmitted nor stored. Tokens can be easily passed from one system to another, never
exposing raw data in transit. Because you only store tokens, the risk of a data security breach is greatly reduced and you have a strong argument for the
removal of integrated systems from the scope of PCI audits.
According to Gartner Group, the cost to roll
out encryption solutions is $6 per customer
record. For a company with 100,000 records,
that means they would spend $600,000.
Mer
chan
t
CSR TakesOrder
ERP CRM
Web Store Order
Sales & Distribution
Finance
Authorization
Token
1234
1234
Tokenization
Authorization
Settlement
Paymetric | White Paper | Tokenization Amplified – XiIntercept for SAP 9
Tokenization Amplified: Introducing XiIntercept, the Ultimate Scope Reduction Mechanism
One of the largest drivers for adoption of tokenization
solutions to protect stored cardholder data has been PCI
scope reduction. Many firms have leveraged tokenization
to eliminate the scope of PCI Requirement 3. However, as it
becomes more challenging to maintain compliance with PCI
DSS, merchants are looking for ways to further reduce the
scope of compliance. The great news is now they can.
Paymetric has developed XiIntercept™, a data intercept
solution, a technology based on a simple premise – capture
the card number as early in the workflow as possible to
reduce or even eliminate the merchant’s PCI footprint.
How does it work? Sensitive information is intercepted
and tokenized at the time of entry. The secure token is
then provided to the merchant for use in authorization and
settlement. Raw data never enters protected merchant
systems and applications. XiIntercept solutions offer the
ultimate breach protection, while dramatically reducing the
cost and effort to achieve PCI compliance.
The Ponemon Institutes research shows that
the negative publicity associated with a data
breach incident causes reputation damage
that may result in abnormal turnover or
churn rates as well as a diminished rate for
new customer acquisitions.
– Ponemon Institute3
The most attractive advantage of XiIntercept is that, if
properly architected, merchants may be able to qualify
for PCI SAQ-C, which means the merchant’s annual audit
scope would be significantly reduced from the PCI SAQ-D
requirements.
3 Ponemon Institute 2013 Cost of a Data Breach: Global Analysis
FIGURE 6: XiIntercept Solutions – Payment Processing Without Merchant Exposure to the CardXiIntercept is a solution that allows merchants to process electronic payments without ever having exposure to the actual card number. When a customer
places an order with the merchant, the raw card number is sent to Paymetric to tokenize the card number and return the token to the merchant. The
merchant subsequently submits the token to Paymetric to obtain authorization for electronic payments. All of this is done without any change to the
customer’s experience.
Processor
Merchant
Customer
1234 1234
Paymetric | White Paper | Tokenization Amplified – XiIntercept for SAP 10
XiIntercept for eCommerce
When a cardholder enters sensitive information through a merchant’s web store, the raw data is transparently intercepted
from the cardholder’s browser window. A token is generated and routed back through the cardholder’s browser to the
merchant’s server for subsequent use in payment authorization and settlement. The process completes in seconds, entirely
transparent to the cardholder. The merchant never transmits, processes or stores the raw data, but instead only stores
the token.
Figure 7: XiIntercept For eCommerce
CheckoutClient Places Order
MerchantWeb Store
Checkout Checkout
Client Browser (B2B or B2C)
Mer
chan
t’s S
yste
ms
SAP
Processor
Issuing Bank
Client places order on
Merchant’s Web store
Client fills in cardholder data in
Paymetric fields and submits
Client goesto checkout
Gateway
Data Intercept
Paymetric | White Paper | Tokenization Amplified – XiIntercept for SAP 11
XiIntercept for SAP
XiIntercept for SAP works by invoking a secure card entry web page at each point where a user would enter a value into
the SAP card number field. The card number is tokenized and the token is returned to SAP and automatically populates the
original payment card field to subsequently be used for authorization. The user experience is seamless, normal workflow
can be followed and day-to-day business activities can be completed using secure tokens. Because the raw card number
was intercepted, it never enters the SAP system, placing the SAP system in a position to be removed from PCI scope.
Features:
§ Prevents the entry of sensitive cardholder data from entering the SAP landscape
§ Centralizes control and logging of tokenization request for PCI DSS and internal audit reporting
§ Substitutes the card number with a merchant-specific token value which protects SAP customers against accidental exposure and is useless to hackers, thieves and any external parties
FIGURE 8: XiIntercept for SAP
SAP ERP
SAP GUI
DI GUIAGENT/
CSRCUSTOMER PAN ZONE
PAN FREE ZONE
Workstation
Mer
chan
t D
ata
Cen
ter
Benefits:
§ Zero footprint for user workstation
§ Centralizes configuration and auditing
§ Easily scalable across SAP user landscape
§ Minimizes the risk of incurring fees, fines or legal costs associated with a data breach
Paymetric | White Paper | Tokenization Amplified – XiIntercept for SAP 12
XiIntercept Stand-alone
When taking a payment, a merchant accesses the XiIntercept solution via a web browser that instantly generates a token
for the card number entered. This token is copied into and flows through the enterprise payment acceptance system for
storage or subsequent authorization and settlement. The merchant never transmits, processes or stores the raw card data
outside of XiIntercept Stand-alone, but instead transmits, processes and stores only the token.
Benefits of XiIntercept:
§ Prevents sensitive cardholder data from entering merchants’ enterprise payment systems and applications
§ Substitutes credit card numbers with tokens, rendering the data useless to thieves
§ Minimizes the likelihood of fees, fines and legal costs associated with a data breach
§ Reduces scope and cost of achieving and maintaining PCI compliance
§ May qualify merchants for SAQ-C, reducing the number of compliance requirements from 288 to 80
Conclusion
Merchants are becoming increasingly interested in
solutions that reduce or eliminate PCI DSS scope. For
years, tokenization had been used to mitigate the scope.
XiIntercept solutions are a natural evolution of tokenization
technology that can help forward-thinking businesses
further reduce PCI DSS audit scope and even qualify
merchants for SAQ-C.
FIGURE 9: XiIntercept Stand-alone
Processor
Issuing Bank
Issuing Bank
Mer
chan
t’s
Sys
tem
s
Customer Order CSR
1234
1234
SAP
Order
Delivery
Invoicing
Sales &Distribution
PASAdapter
Comms
Settlement
GL Posting
GL Posting
Manual Settlement Deposit
Finance
About Paymetric
Paymetric, Inc. is the standard in secure, integrated payments. Our innovative payment acceptance solutions expedite and secure the order-to-cash process, improve ePayment acceptance rates, and reduce the scope and financial burden of PCI compliance. Leading global brands rely on Paymetric for the only fully integrated, processor-agnostic tokenization solution, supported by dedicated customer service. Paymetric is a nationally award-winning industry leader recognized for continual innovation, SAP partnership and world-class support since 1998. For more information, visit paymetric.com.
1225 Northmeadow Pkwy | Suite 110
Roswell, GA 30076
T: 678.242.5281 | F: 866.224.5867
paymetric.com ©2014 Paymetric, Inc. All rights reserved. The names of third parties and their products referred to herein may be trademarks or
registered trademarks of such third parties. All information provided herein is provided “AS-IS” without any warranty.