New technology tools are emerging in the market that merchant acquirers can offer or merchants themselves can adopt to comply with Payment Card Industry data-security standards.
Some of the new technology tools include:
Virtual terminals: When merchants use virtual terminals, cardholder data are stored at a third-party location via a Web page protected by a secure socket layer-encrypted communication link. Virtual terminals are a good fit for card-not-present and electronic-commerce transactions and for call centers and self-service devices.
Masking: Masking is the use of replacement data to obscure or replace a card’s Primary Account Number, or PAN. The PCI Data Security Standard allows firms to display the first six and the last four characters of credit card numbers. Masking substitutes the middle six numbers with a string of replacement characters, enabling the storage of the underlying data unseen and reducing the scope of PCI compliance.
Hosted pay pages: Such pages are separate Web pages or order fields that redirect customers to a secure site to enter confidential payment data. A third-party provider hosts the sites so the merchant never stores or transmits cardholder data.
Point-to-point encryption: The card-present technology encrypts cardholder data from the point of merchant capture to where the acquirer processes the transaction. Point-to-point encryption takes merchants out of PCI scope if the decryption takes place outside the merchant’s environment.
David Wallace, group manager of merchant compliance at Chase Paymentech LLC, spoke recently with PaymentsSource sister publication Bank Technology News about how these tools are changing PCI compliance.
BTN: Is PCI compliance becoming easier or more difficult?
Wallace: PCI compliance overall is becoming more attainable. A lot of that is due to the nature of the process. We’ve got a good standards lifecycle in place and there’s a methodology to update those standards in response to changes in the threat environment. If you look at the changes from one version to another, the changes have been small, mostly clarification and guidance. And you’re also seeing acquirers running a “level four” program to help smaller merchants (in PCI parlance, “level four” refers to smaller merchants that often lack the budgets or tech acumen to easily achieve PCI compliance).
BTN: What are some of the misperceptions of PCI compliance?
Wallace: Compliance technology can reduce the scope, but the technology’s not a requirement. Many merchants have said ‘you have to buy the XYZ tech to be PCI compliant,’ but that’s not true. And the tech doesn’t replace the PCI. Just because you’ve deployed point-to-point encryption, you still have to perform the PCI-validation requirements that are appropriate to your business.
BTN: What are some of the important initial steps that merchants should take before embarking on a PCI compliance initiative?
Wallace: Before you embark on a tech purchase, you have to conduct a business process review into what cardholder data you are storing, and look for ways to reduce or eliminate the presence of cardholder data in your environment and to look at ways to reduce costs. For example, we were working with a merchant that was ‘charge-back obsessed.’ It turned out that 90% of the charge-backs were coming within 40 days of the transaction, so the merchant was holding a lot of transaction data compared with a small amount of charge-back volume. So does it make sense to hold on to that much data, when you could have that data stored for you [by a third party provider]?
BTN: You’ve highlighted a number of the tech options available to aid in PCI scope reduction. What makes ‘masking,’ for example, effective in reducing PCI compliance costs?
Wallace: The instant your accounting or finance folks go online to look at cardholder data, if they see the card numbers across their screen, these activities are brought back into PCI audit scope. If I mask the data, they are getting cardholder data, but not ‘card data,’ so it frees the firm from having ‘scope creep.’
BTN: Point-to-point encryption has gotten a lot of attention over the past year or so. Why is this security layer so important?
Wallace: We’re seeing changes in the threat environment toward malware that looks for card data as it comes into a keypad or a USB port or a serial port. The private key (which decrypts the card data) can be held by a third party in point-to-point encryption, so the merchant never has possession of the cardholder data.
What do you think about this? Send us your feedback.
