The recent PCI Security Standards Council guidance on tokenisation strengthens the case for a managed payments service, according to Commidea, who predicts an increased demand for hosted services as merchants look to simplify their compliance activities and costs and in particular their exposure to potential fraud.
Tokenisation simplifies compliance efforts by minimising exposure of sensitive card details, such as the Primary Account Number (PAN) which is converted into a token. If handled by a suitable managed service provider, the encrypted card details are stored securely within a PCI DSS Level 1 certified data centre and a Token ID returned to the merchant for use in place of the PAN. This prevents sensitive card data traversing through the merchant's network infrastructure, thereby supporting their compliance programme. Furthermore, by converting this card data into a token, the merchant is removing the storage of sensitive cardholder data from their networks and removing the risk of its theft as it is no longer stored on the merchant's network or databases. Commidea supports the ability to remove the token from the scope of PCI DSS by ensuring that the recovery of the PAN value by computational methodologies is not possible by an attacker utilising knowledge of the token itself, multiple tokens or other token-to-PAN combinations.
To help further reduce the threat of card data being processed and stored on a merchant's network, the merchant can combine the benefits of utilising a tokenisation function with a point-to-point encryption payment solution. In this scenario, sensitive cardholder data is encrypted at the point of interaction i.e. in the terminal itself, thus removing it completely from the merchant's systems.
Marc White, Head of Security & Compliance at Commidea, says, "Merchants are increasingly looking at ways to reduce the cost and impact of complying with industry standards such as PCI DSS. It is becoming very clear that one simple and cost effective way of achieving and maintaining their ongoing compliance is to utilise both tokenisation and point-to-point encryption capabilities. Commidea is one of very few payment service providers who have such proven solutions already live with UK merchants".
Supporting this view, Jeremy King, European Director of the PCI SSC, pointed out in a recent interview with TechTarget that tokenisation until now has been seen as a substitute to point-to-point encryption, limiting the scope of compliance, but for best practice the two techniques are now being combined by some merchants.
King continues, "Point-to-point encryption works very well at the initial point of sale, but once the data gets into your systems, tokenisation works better. It seems we can use the best of both technologies throughout the transaction process."