Hosted Tokenization

Bolster Security & Minimize Compliance Complexity

Hosted tokenization is a best practice approach for financial account data transmission and storage that enables you to process payments without exposing an application to financial account data. The system can be used to integrate payment processing functionality without bringing an application into PCI-DSS scope.

hosted-tokenizationB1948C429501

  • Avoid data breaches of security due to non-compliance
  • Integrate payment functionality into your application without the cost, time, or resources associated with PCI-DSS (Payment Card Industry Data Security Standard) compliance
  • Allows safe scheduling and processing of future-dated and recurring credit card transactions

Allows safe scheduling and processing of future-dated and recurring credit card transactions

Fines can range from $5,000 to $500,000. Banks may assess costs for forensic research needed to secure data and assess the scope of a breach. Credit card issuers may levy fines as a punishment for non-compliance and propose a timeline of increasing fines.

What are the data breach costs?

Breaches of security due to non-compliance can have serious consequences:

  • Legal claims by customers
  • Fine of $50-$90 fine for each compromised card
  • Loss of reputation, trust and future sales
  • Termination of merchant account

What’s in PCI-DSS Scope?

While it is ultimately the merchants’ responsibility to protect cardholder data, any service provider or software application used by the merchant to process, store or transmit cardholder data is in scope of PCI-DSS; meaning in order for a merchant to be PCI Certified those parties and systems must also be compliant.

How to remove your Application/System from PCI-DSS Scope?

So how can a merchant or software provider integrate payment functionality without bringing a system into scope? The secret is to build a workflow that avoids performing any of the card data functions.

  • Step One
    Processing card data is easily avoided by integrating a PCI-DSS certified payment gateway with an Application Programming Interface (API).
  • Step Two
    Storing card data can be avoided using tokens, which are symbolic representations of a financial account only meaningful to the merchant. Tokens can be stored and used in a wide range of systems without bringing those systems in scope of PCI-DSS storage requirements.
  • Step Three
    Transmitting card data can be avoided using a session within a PCI-DSS certified registration channel. A hosted tokenization session can be requested from a PCI-DSS certified registration channel in order to tokenize or enroll a financial account in payments without exposing a server to card data. Data can be included in the request to pre-populate the session so the handoff is transparent to the end user.