Merchants have a lot on their minds without worrying about security audits and malware. Acquirers can help by offering new technology and security tools that protect merchants and reduce the expense of Payment Card Industry (PCI) compliance reviews.
David Wallace, group manager of merchant compliance for card processing company Chase Paymentech, recently broke down some of the new technology tools that can be offered by issuing banks or adopted directly by merchants themselves.
His synopsis of the emerging tech tools includes the following:
• Virtual terminals: When virtual terminals are used, cardholder data is stored at a third-party location via a web page protected by a secure socket layer-encrypted communication link. Wallace says virtual terminals are a good fit for card-not-present and electronic commerce transactions, as well as call centers and self-service devices. Wallace says that while the only solution that completely eliminates the need for PCI compliance is to "not accept credit cards," he acknowledges that's not realistic and recommends a balance of customer convenience and compliance.
• Masking: Masking is the use of replacement data to obscure or replace the Primary Account Number (PAN). The PCI Data Security Standard (DSS) allows firms to display the first six and the last four characters of the credit card numbers. By using masking, the middle six numbers are substituted with a string of replacement characters, which allows the underlying data to be stored but unseen, reducing PCI compliance scope.
• Hosted pay page: HPPs are separate web pages or order fields that redirect customers to a secure site to enter confidential payment data. The sites are hosted by a third party provider, so the merchant never stores or transmits cardholder data.
• Point-to-point encryption: A card-present technology where the cardholder data is encrypted from the point of merchant capture to the point of processing at the acquirer. Point-to-point encryption uses asymmetric (also known as 'public key') encryption to reduce merchants' PCI scope by using separate keys for encryption and decryption, and storing the decryption keys place outside the merchant's environment.
Wallace this week spoke with BTN about how these tools are changing PCI compliance, and warned of the dangers of the data "rash," or the accessing of payment data by various business lines that can open up more of a merchant's business to PCI scope. This class of encryption tools attempts to reduce that rash by removing cardholder data from an actual live transaction and potentially combining it with some form of substitute identifier such as tokenization that allows payments to be executed while cutting storage costs and compliance burden for issuers and merchants.
BTN: Is PCI compliance becoming easier or more difficult?
Wallace: PCI compliance overall is becoming more attainable. A lot of that is due to the nature of the process. We've got a good standards lifecycle in place and there's a methodology to update those standards in response to changes in the threat environment. If you look at the changes from one version to another, the changes have been small, mostly clarification and guidance. And you're also seeing acquirers running a "level four" program to help smaller merchants (in PCI parlance, "level four" refers to programs designed to place compliance-enabling tools and expertise in the hands of smaller merchants that often lack the budgets or tech acumen to easily achieve PCI compliance).
BTN: What are some of the misperceptions of PCI compliance?
Wallace: Compliance technology can reduce the scope, but the technology's not a requirement. Many merchants have been told 'you have to buy the xyz tech to be PCI compliant' but that's not true. And, also, the tech doesn't replace the PCI. Just because you've deployed point-to-point encryption, you still have to perform the PCI validation requirements that are appropriate to your business.
BTN: What are some of the important initial steps that merchants should take before embarking on a PCI compliance initiative?
Wallace: Before you embark on a tech purchase, you have to conduct a business process review into what cardholder data you are storing, and look for ways to reduce or eliminate the presence of cardholder data in your environment and to look at ways to reduce costs. For example, we were working with a merchant that was 'chargeback obsessed.' It turned out that 90 percent of the chargebacks were coming within 40 days of the transaction, so the merchant was holding a lot of transaction data compared with a small amount of chargeback volume. So does it make sense to hold onto that much data, when you could dispose of it securely with no risk, or have that data stored for you at limited risk [by a third party provider]?
BTN: You've highlighted a number of the tech options available to aid in PCI scope reduction. What makes 'masking,' for example, effective in reducing PCI compliance costs?
Wallace: The instant your accounting or finance folks go online to look at cardholder data, if they see the card numbers across their screen, these activities potentially expand PCI audit scope. If I mask the data, they are getting cardholder data, but not actual 'cardholder data,' so it frees the firm from having 'scope creep.'
BTN: Point-to-point encryption has gotten a lot of attention over the past year or so. Why is this security layer so important?
Wallace: We're seeing changes in the threat environment toward malware that looks for card data as it comes into a keypad or a USB port or a serial port. The private key (which decrypts the card data) can be held by a third party in point-to-point encryption, so the merchant never has possession of the cardholder data.