Payment Security: Step-by-Step
Eliminating PCI compliance scope is a multi-step process. Since credit card processing is so complex and there are so many different entities and systems involved, each piece of the payments puzzle needs to be secured one by one. We talk a lot on this blog about how CardConnect’s solutions can remove merchants from the scope of PCI compliance, so we thought it was high time we show you exactly how that works. Let’s start from the beginning.
Let’s take a look at a typical merchant processing environment, one with no PCI security solutions in place. Within this basic IT infrastructure, all computers, servers and network equipment of their call center employees (for the example in the above diagram) are physically connected to the cardholder data environment (CDE). This also includes all applications and databases that run in this environment. All of these elements are therefore in the scope of PCI compliance and must undergo testing, annual auditing and evaluation by a QSA.
The challenge, in essence, is to systematically reduce the scope of PCI compliance within the IT infrastructure. To do that, we want to identify how card data enters the environment and replace these primary account numbers (PANs) with tokens.
Let’s start with an easy change in the eCommerce environment.
Using the CardConnect AJAX Tokenizer
The AJAX Tokenizer is a simple method for intercepting card numbers entered by customers in your shopping cart and exchanging them with tokens generated and stored in the CardSecure vault.* Since the AJAX Tokenizer is running in the customer’s browser and communicating with CardSecure, no card numbers are being posted to the merchant’s servers or being transmitted over their network.
This effectively removes card numbers from the eCommerce channel.
*CardSecure is a secure web service hosted by CardConnect in our PCI compliant data center.
Adding the CardConnect Desktop Tokenizer
Now let’s turn our attention to those call center representatives taking phone orders and entering credit card numbers into your ERP or Point-of-Sale (POS) application. By adding a small desktop executable program called the Desktop Tokenizer, you remove sensitive data from what is likely your most critical and resource-intensive application. The process is simple and the Desktop Tokenizer renders a token in a manner very similar to the AJAX tokenizer described in the previous section.
That makes two channels that have been secured. We have protected your ERP, however your employees’ PCs are essentially still accepting card numbers, making them (and the network on which they reside) a vulnerability.
The next section addresses this very concern.
Going Further By Using PANPad
The PANPad is a PIN entry device injected with a key that encrypts the card number on the device but still allows for decryption by the CardSecure vault. In a manner that is similar to entering digits on a calculator, the call center representative enters the primary account number (PAN or credit card number) into the PANPad. The device contacts the CardSecure vault and exchanges the encrypted card number for a token. As the last step in the process, the call center representative enters the token into the application.
This effectively secures the PC and the network segment on which it resides. To this point, we have covered all the major components of the solution. But what happens when all those tokens in your system need to be sent to your payment processor during transactions?
Let’s take a look at one last requirement.
.
Moving To Hosting
By linking your ERP or POS to the CardConnect gateway, you ease the integration effort and reduce the risk and cost associated with PCI compliance. Once the integration is complete, you send your transactions as you did previously but they will instead be transmitted to the CardConnect Gateway. The CardConnect Gateway then communicates in real time with CardSecure and makes a simple exchange of the token (from your message) for the card number in the CardSecure vault. It then inserts the card number into the message and forwards it to the card processor of your choosing, all with less than a 50 millisecond delay.
Want more information about becoming PCI compliant? Just have a question about PCI compliance in general? Drop us a line and we’ll be in touch right away.