Reducing Scope with Tokenization and Point to Point Encryption
Any business that continues to store, process or transmit credit card information is feeling the pressure to comply with the PCI DSS 2.0 changes, which will begin being in enforced on January 1, 2012. The Payment Card Industry Data Security Standard (PCI DSS) released its new version 2.0 guidelines in October of 2010 that offered updates to the earlier version of the guidelines, to help merchants create a more secure purchasing environment for consumers.
A major factor of PCI compliance depends on a company’s scope. The scope is determined by identifying the cardholder environment, including system components, processes and people involved with a credit card transaction. Determining the scope of a company is the first process in a PCI DSS assessment. Reducing your scope can help your company comply with the PCI DSS requirements.
There are two great solutions to help reduce your scope:
1. Point-to-Point Encryption:
Point-to-point encryption (P2PE) secures data in flight. By converting the information to an unintelligible form, sensitive information is protected from the point of entry, while in transit, all the way to the payment processor. It is important to focus on this area and make sure that the ownership, creation, maintenance, updates and destruction of keys used to support the encryption are well controlled. The PCI Security Standards Council (PCI SSC) has confirmed that P2PE is the technology that processors, software providers, and merchants should be moving toward. To learn more about P2PE, check our video library.
Tokenization is a method for securing sensitive card data at rest by breaking up information and replacing the data with unique identification symbols. The token, not the actual credit card number, is then moved to a secure, PCI DSS storage facility. This technology heavily reduces the likelihood of an attack, though it does require an appropriate database, network, platform, and application security controls. However, when the responsibility to protect stored data, along with the risks of a security breach and resulting loss is transferred to a trusted partner, business liability is dramatically reduced for merchants and software providers alike.
Point-to-point encryption (also known as end-to-end encryption) and tokenization help to remove sensitive data from the payment environment, reduce the risk of credit card data breaches, and helps your company more easily achieve PCI DSS compliance.
There are great opportunities to reduce the scope of PCI compliance by taking advantage of these emerging technologies. Wherever your organization is along the PCI journey, Element Payment Services can help you along the way. For more information, view our tokenization white paper or contact us today to get started.