Pci Compliance: Save Money by De-Scoping With Tokenisation

By Rob Crutchington – Director at Encoded www.encoded.co.uk

Tokenisation is a process of replacing sensitive card data with a sequence of numbers that, when used within a specific payment gateway, reference back to the card data without compromising its security.  This is particularly useful for organisations that take repeat or subscription payments for example membership fees.  This functionality is similar to having a Direct Debit in place, but instead utilises all the flexibility and benefits of a card payment scheme. Once the initial transaction is verified the card becomes trusted and any subsequent payments will not require details to be taken again until the original card expires.

Another benefit of Tokenisation is that if the payment fails for any reason neither the merchant nor the card holder are penalised,

Rob Crutchington

unlike with direct debits.  Offering customers a new method of making regular payments adds value as well as raises an organisation’s customer service profile.  There is also a reduced risk of declined payments with tokenised cards, because a successful payment must be made prior to Tokenisation.

Using Tokenisation the whole payment process is faster, easier and more secure for regular customers while saving on time and resource for merchant organisations.

But how does this help with PCI compliance and save money?

To be PCI DSS* compliant organisations cannot retain customers’ card details; however, by working with a PCI compliant payments provider with a Tokenisation solution, merchant organisations can reduce the scope of the cardholder data environment (or de-scope).  De-scoping is the process to reduce the number of requirements for PCI compliance.  To become PCI compliant there are 12 requirements, consisting of 258 controls, designed to standardise controls surrounding card holder data and to protect consumers and merchants (organisations) against security breaches.  The payments provider handles the tokens taking responsibility for cardholder data security.  Therefore it is important to work with a Level 1 PCI DSS compliant payment service provider.

By implementing Tokenisation (also known as recurring or stored card payments) organisations can vastly reduce the scope of PCI compliance and increase data security.  Tokens can only be used by the PCI compliant service provider’s payment gateway and if they are stolen or written down the token is completely useless to anyone outside of the payment environment.

The process of Tokenisation means that payment card numbers are not stored in databases making it difficult for hackers and reducing the chances of cyber theft.  Furthermore if multiple payment methods such as agent assisted card payments, website and automated interactive voice response (IVR) solutions are configured to offer tokens, from a shared token pool, then the collection of card information in the contact centre can be removed completely allowing for only tokenised transactions to be taken by live agents.

Therefore, Tokenisation increases security of card holder details while minimising the cost and complexity of PCI compliance.  However, not all payment solutions can handle tokens and to get the full benefit of the process it is important that tokens are compatible across all payment methods including IVR, virtual terminal, agent assisted and web payments.

While an organisation’s responsibility for PCI compliance cannot be entirely removed, as the merchant account agreement is between the merchant organisation and its bank or acquirer, Tokenisation is a great way to de-scope for compliance purposes while improving the security of cardholder data and customer experience.