Transaction Wireless Inc. became one of the first digital gift card providers to achieve the highest level of PCI Data Security Standard compliance for its computing cloud, defined as the interconnectivity of multiple computer servers, the company announced Aug. 23.
Achieving PCI compliance is an important step for companies using Web-based “cloud computing” to provide digital gift cards, but it does not lessen the various compliance responsibilities of the merchant selling or redeeming those cards, data security experts say.
Cloud computing offers clients a secure online retail site around the clock that can accommodate the busiest sales periods, Doug Schneider, CEO of San Diego, Calif.-based Transaction Wireless, contends.
"Although PCI focuses mainly on credit card data, Transaction Wireless treats all account data, including gift card account numbers, with the same security measures,” Schneider tells PaymentsSource.
Despite taking such precautions, merchants still need to ensure the consumer data on those cards is secure, says Ulf Mattsson, chief technology officer for Stamford, Conn.-based Protegrity, a tokenization and encryption vendor. Mattsson also participates in various special interest groups for the PCI Security Standards Council.
“Adding the cloud computing aspect to compliance is complicated because a recertification would be needed with each merchant,” Mattsson says. “The digital product may not be validated in some of the infrastructure requirements at the merchant site.”
Indeed, gaining PCI compliance for cloud computing processes doesn’t always mean the merchant selling the gift cards is PCI compliant, Mattsson suggests.
“With the cloud computing environment, it is still up to the Quality Security Assessor interpretation for compliance,” Mattsson says. “It is hard, or even impossible, to log card activities in a cloud environment, and that is a PCI requirement.”
From a PCI point of view, as soon as a card is produced for a payment transaction and it has cardholder data, it needs to be PCI compliant, Mattsson adds.
Madeline Aufseeser, a senior analyst with Boston, Mass.-based Aite Group LLC, notes it is important to understand precisely when a gift card actually has to become compliant.
“(For) All transactional cards, whether it’s credit, debit or prepaid, the PCI rules are general across the board,” Aufseeser says. “But gift cards are not PCI compliant until the consumer registers them [for use], then the issuer and the processor make sure the PCI compliance is in place.”
Jeff Brown, senior adviser for CompliancePoint, a Duluth, Ga.-based Quality Security Assessor for PCI and subsidiary of PossibleNow, Inc., which executed the Transaction Wireless security assessment, echoes Mattson’s view.
“The consumer data on a digital card is not going to a physical location in the cloud computing environment, but the merchant still has the responsibility to follow his own policy and procedure guidelines as well as meet PCI standards,” Brown tells PaymentsSource.
Schneider makes the distinction that PCI compliance for his company was based on its cloud-computing “and the fact that we chose to treat the digital gift card data the same as you would treat credit card data.”
Retailers using Transaction Wireless offer digital gift cards to customers to purchase or send via online, mobile or social media channels, Schneider explains.
“The purchaser is able to send the gift card on e-mail or post to a Facebook wall immediately or schedule it for automated delivery at a later day, even down to a specific hour,” Schneider says. “Depending on the retailer, the recipient can use their mobile phone with the gift card for redemption or the printed virtual gift card received via email.”
What do you think about this? Send us your feedback.
