P A Y M E N T S I N T E G R A T I O N S E C U R I T Y

paymetric.com

PCI Compliance

Understandingthe Regulations

for SecuringCustomer Data

Tokenization

Encryption

P2PE

Cardholder Data

PCI DSS

2

ePayment and Data Security

22

What is PCI compliance?Who does it apply to?

Any merchant, bank, service provider or processor that accepts, transmits or stores cardholder data.

With the increasing threat of security breaches, companies must

take every precaution to ensure sensitive payment cardholder data

is not compromised. Payment Card Industry Data Security Standards

(PCI DSS) outline the steps merchants and service providers must

take to ensure the safe handling of sensitive information.

This eBook provides a quick overview with some tips for

safeguarding your customer’s account and payment information.

YOU, as a merchant and a consumer – with over 21 million Americans a�ected by a data breach last year which is nearly 7% of the US population.

Who does it protect?

• Cardholder name• Expiration date• Service code

What is ‘cardholder data’?

• Up to $500,000 per incident • Possible increase in transaction fees, or termination of relationship with bank • Reputation costs (damage to the brand) due to lost customer trust

The Penalties: How does non-compliance a�ect merchants?

Requires merchants and service providers to meet a minimum level of security standards to protect confidential customer information

Mandates the use of firewalls, message encryption, computer access controls and antivirus software

Requires frequent security audits and network monitoring

Forbids the use of default passwords

PCI DSS at a glance:Cardholder

name

Expiration date

Service code

2

ePayment and Data Security

23

12 standard requirements of PCI DSS

Goals PCI DSS Requirement

Build and maintain a secure network

1. Install and maintain a firewall configuratino to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protectcardholder data

Maintain a vulnerability management program

5. Use and regularly update anti-virus software or programs6. Develop and maintain secure systems and applications

Implement strong access control measures

7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes

Maintain an information security policy

12. Maintain a policy that addresses information security for employees and contractors

Tokenization is e�ective in protecting stored cardholder data

and other sensitive information or Personal Identifiable Information

(PII)

Encryption (P2PE) is a secure solution

for transmitting cardholder data and sensitive

information across open public networks

#3

#4

This eBook focuses on how to protect cardholder data which are addressed by requirements 3 and 4.

3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networks

224

ePayment and Data Securityhow it works

Tokenization is an e�ective approach for

protecting stored cardholder data. Tokenization

is a technology solution that protects raw card-

holder data from entering enterprise systems,

and during communication between and storage

within enterprise systems. Paymetric’s patented

tokenization solution stores card numbers in an

o�-site, secure data vault. The payment card

numbers are replaced with tokens in all other

databases and applications so the sensitive

information cannot be accessed in the event

of a security breach. Not storing cardholder

data anywhere greatly reduces the scope of

PCI Requirement.

3# What isTokenization? 1234

Payment Service Providers

1234

This diagram shows how an ePayment solution prevents raw card numbers (1234) from ever entering a merchant’s system. When a field comes up for raw card number entry, the ePayment solution captures the number outside of the merchant’s ERP application, retrieves and stores it securely, and returns a (token) in its place.

This enables the application to contain no usable credit card numbers, only tokens. This reduces the number of audit items by 60 percent, saving significant cost and time. An environment without raw credit card numbers may qualify for Self Assessment Questionnaire (SAQ) C with 139 questions instead of SAQ D with 326 questions. And unlike an encrypted card number, a token can’t be reverse-engineered to reveal the actual card number.

Tokenization replaces a credit card number

with a randomly generated code

(token) of novalue to hackers.

ProcessorCustomer

Merchant

ePayment and Data Security

Point-to-point encryption (P2PE) is also

included in the new 3.0 PCI guidelines

and it is important to understand how to

reach compliance and the role of P2PE

in a retail or call center environment.

nsures card numbers are

encrypted at the pin pad in the P2PE

device and while in transit all the way to

the payment processor.

P2PE hardware is tamper proof, which

prevents somebody from gaining access

to the data by modifying the hardware.

4# What isP2PE?

Included in the new PCI 3.0 guidelines

Technology solution that removes credit card numbers from the entire network and PCs

Keeps sensitive cardholder data from entering call center systems

P2PE at a glance:

how it works

P2PE Service

Service Provider

MerchantData Center

Point-to-PointEncryption

TOKEN

CALLCENTER

PIN PAD

Removes your network from PCI scope

Dramatically reduces PCI scope and costs

Protects your organization from data breach

225

P2PE e

ePayment and Data Security

5 ways to reduce PCI DSS scope:

Consolidate: Identify and eliminate redundant data sets and consolidate applications and information storage

Centralize: Store encrypted data in a highly secure on-site central data vault

Encrypt: End-To-End Encryption (E2EE) or Point-To-Point Encryption (P2PE) ensures card numbers are encrypted

at the point-of-sale and while in transit, all the way to the payment processor

Outsource: Outsourcing all or some of payment card processing to a PCI DSS compliant service provider - especially

relevant to companies conducting eCommerce transactions

Tokenize: With card numbers stored in an o�-site highly secure data vault, tokenization replaces the card numbers

with tokens in all other databases and applications

The technique that works best for most Card Not Present (CNP) merchants is a combination of outsourcing and tokenization as described above. Tokenization enables businesses to eliminate the storage and/or transmission of cardholder data in enterprise systems and applications. Implementing tokenization makes compliance easier than replacing an existing application with a PCI DSS compliant one.

22

1

2

3

4

5

22226

Make the Right Moves for PCI Compliance

ePayment and Data Security

Maintaining PCI Compliance ensures

that your organization reduces scope,

reduces costs and minimizes the risk of

falling victim to a data breach. Make sure

that you are making the right moves to

protect your cardholder data.

Contact Paymetric and let our experts

show you how.

855-476-0134

info@paymetric.com

www.paymetric.com

What to learn more?

Podcast: Call Center SolutionsKeep sensitive cardholder data from entering your call center and dramatically reduce PCI scope and costs.

Datasheets:Paymetric P2PERemove call center workstations, virtual terminals, and keyboards from your PCI DSS Cardholder Data Environment.

Paymetric Data Security Proprietary Tokenization Solution.

Case Studies:Learn how we have helped over 700 leading worldwide brands streamline payment processing, improve security and minimize PCI DSS impact.

Share This eBook

thank you!227

About PaymetricPaymetric, Inc. is the global leader in integrated and secure electronic payment solutions for the enterprise to enable

companies to streamline the order-to-cash process, reduce the scope and financial burden of achieving PCI compliance

and improve return on electronic payment acceptance. Paymetric is a recognized industry leader with award winning

solutions and world class client service.

P A Y M E N T S I N T E G R A T I O N S E C U R I T Y

paymetric.comContact Paymetric at info@paymetric.com or 1-855-476-0134 to learn more.

©2016 Paymetric, Inc. All rights reserved. The names of third parties and their products referred to herein may be trademarks or registered trademarks of such third parties. All information provided herein is provided “AS-IS” without any warranty.

28