Hosted tokenization is a best practice approach for financial account data transmission and storage that enables you to process payments without exposing an application to financial account data. The system can be used to integrate payment processing functionality without bringing an application into PCI-DSS scope.
Fines can range from $5,000 to $500,000. Banks may assess costs for forensic research needed to secure data and assess the scope of a breach. Credit card issuers may levy fines as a punishment for non-compliance and propose a timeline of increasing fines.
Breaches of security due to non-compliance can have serious consequences:
While it is ultimately the merchants’ responsibility to protect cardholder data, any service provider or software application used by the merchant to process, store or transmit cardholder data is in scope of PCI-DSS; meaning in order for a merchant to be PCI Certified those parties and systems must also be compliant.
So how can a merchant or software provider integrate payment functionality without bringing a system into scope? The secret is to build a workflow that avoids performing any of the card data functions.
Processing card data is easily avoided by integrating a PCI-DSS certified payment gateway with an Application Programming Interface (API).
Storing card data can be avoided using tokens, which are symbolic representations of a financial account only meaningful to the merchant. Tokens can be stored and used in a wide range of systems without bringing those systems in scope of PCI-DSS storage requirements.
Transmitting card data can be avoided using a session within a PCI-DSS certified registration channel. A hosted tokenization session can be requested from a PCI-DSS certified registration channel in order to tokenize or enroll a financial account in payments without exposing a server to card data. Data can be included in the request to pre-populate the session so the handoff is transparent to the end user.