Merchants, banks, and other parties that play a role in processing credit and debit card payments must protect the privacy of account data—both to meet core business goals and to fulfill obligations under the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS defines strict compliance requirements for the processing, storage, and transmission of account data. PCI DSS compliance must be validated periodically, and failure to comply can result in fines or even the termination of the ability to process credit cards. Needless to say, it’s a compliance mandate with teeth – but meeting it can pay off in dividends.
The complexities of achieving PCI DSS compliance
Although the PCI DSS specification contains only 12 requirements, it’s a meaty document with extensive supporting guidance released in various supplements. That’s a considerable amount of reading for merchants who typically find it hardest to comply with the standard (and often suffer the most in terms of fines when data breaches occur).
In addition, the growing number of ways that merchants can accept payments from consumers leads to a wider range of places inside their IT infrastructures when primary account numbers (or PANs) are present and hence require protection. This rapid digital transformation, coupled with the technology and expertise required to support the most effective secure methods of data protection (e.g. encryption, key management) puts considerable demands on merchants seeking to keep their businesses afloat. Is it possible then, for merchants to simplify the task of complying with the rigorous PCI DSS requirements?
How tokenization may help reduce scope
The answer may lie in making use of a technique known as tokenization, where the merchant stores a token (or proxy for the PAN) rather than the actual PAN itself (and hence making stolen data much less valuable to attackers). The reason I say “may” is because there is no solution or technology that eliminates all PCI DSS requirements. However, tokenization will almost certainly lower the risk of fraud, diminish the applicability of some PCI DSS requirements and may limit the number of systems operated by the merchant that are considered part of the cardholder data environment (or CDE). The end result is that tokenization may help the merchant meet some of the PCI DSS requirements more easily, which in many cases could result in significant cost savings.
Practical advice based on proven solutions
The protection of the PAN is just one small (but extremely important) part of the overall PCI DSS requirements. Merchants still need effective and practical advice in order to simplify the remainder of their PCI DSS compliance obligations.
Recently I had the pleasure of collaborating with Peter Spier from Fortrex Technologies on the publication of a Wiley Dummies book, “PCI Compliance & Data Protection for Dummies”. In his capacity as a PCI QSA, PA-QSA, and PCIP, Peter has a long track record of success in helping numerous organizations with PCI DSS compliance. The end result is a valuable starting point for any organization that wants to learn how to reduce its PCI footprint, limit payment card fraud, and retain its data integrity.