PayPoint introduces a new PCI DSS compliant solution enabling online merchants to easily secure card payments in their own websites

PayPoint, an international leader in payment technologies, announces CardLock, a secure payments plugin which helps e- commerce merchants drastically reduce PCI Data Security Standard (PCI DSS) responsibilities in their existing websites by almost 60%.

CardLock is an invisible token-based solution which has been designed to work alongside PayPoint’s payments API, allowing merchant websites and applications to retain their seamless consumer experience without the need to handle or store sensitive card data. The token based solution has been developed with merchants in mind, enabling them to retain full control of their overall payments experience whilst significantly reducing the PCI burden.

Historically, consumers have been passed to webpages hosted by the payments provider, who would collect and manage sensitive card data directly. But this is often a significant compromise for merchants in addressing PCI responsibilities. Many third party providers offer only simple hosted webpages which don’t meet the needs of today’s organisations, who want to own, manage and control their own customer experience across a range of mobile and online services.

With CardLock, the merchant’s own user experience runs throughout the process, with sensitive card data discretely intercepted and secured by the PayPoint plugin prior to payment submission. This resolves some of the issues faced by merchants fulfilling their PCI DSS obligations, who do not want to move to a full-redirect model for e-commerce transactions and yet wish to significantly reduce the overall number of requirements to meet compliance standards.

By securing card details at source, directly within the merchant payment form, no payment card data is stored, processed or transmitted by the merchant, even in subsequent API payment requests resulting from their servers. This significantly reduces the scale of PCI DSS compliance and therefore enhances the options available to e- and m- commerce merchants in addressing this obligation.

Leading Visa and MasterCard approved Qualified Security Assessor (QSA) and PCI experts Nettitude commented on the PayPoint solution “With over two decades of experience in the Compliance industry, we know all too well how important it is to be compliant but we also know that this means a compromise for many. With PayPoint’s CardLock plugin, merchants who use a payments API, have the flexibility of retaining their overall payment experience without handling sensitive card data.”

Leading Visa and MasterCard approved Qualified Security Assessor (QSA) and PCI expert Nettitude commented on the PayPoint solution: “With PayPoint’s CardLock plugin, merchants who use a payments API have the flexibility of retaining their overall payment experience without handling sensitive card data,” said Nigel Gildea, Principal Security Consultant at Nettitude.  “Having had an opportunity to review the transaction flow and implementation guidelines, Nettitude is satisfied that CardLock meets the card flow requirements defined by Visa Europe to allow merchants to reduce their PCI-DSS certification requirements from SAQ D, to SAQ A-EP, which could mean a control reduction of up to 57% for many merchants.”

Dan Salmons, Managing Director, PayPoint Mobile and Online comments, “CardLock has been specifically designed to fit in with a merchant’s existing systems so that they retain full control over their customers’ checkout experience, even though our service invisibly tackles the security of cardholder data, and later handles the actual payment for them too.”

“The added bonus of PayPoint having held PCI DSS compliance for ten years takes an extra weight off their minds –effectively they’re outsourcing the large majority of their PCI compliance to a market leader. Having held this standard for more than a decade, we’ve designed compliance into our own systems and working processes.  As a result, we’re seeing more and more organisations approaching us to use solutions like CardLock and reduce their PCI burden, leaving them to do what they do best.”

PCI Data Security Standards are a comprehensive set of guidelines designed to ensure the highest levels of protection for cardholder data. They apply to all businesses that process, store and transmit sensitive cardholder information, and certification must be renewed annually.  As the CardLock plugin significantly reduces PCI responsibilities, digital merchants can continue to develop their own mobile and online consumer experiences, safe in the knowledge that PayPoint have removed the compromises necessary to avoid many of these rigorous, time-consuming, and costly compliance tasks.