Tokenization is the process of replacing sensitive data with a meaningless number. There is no universal standard for tokenization in payments. The key principal is that no part of the token has any relation to the credit card or check data.  The tokens themselves are useless outside of the system for which they are designed to be used. Tokens can be created for one time use or stored for recurring.

Encryption is the conversion of data into a form that cannot be easily read by others. That which is encrypted can be decrypted.

Payment card industry data security standards (PCI DSS) do not allow credit card numbers to be stored on a retailer’s point-of-sale (POS) terminal or in its databases after a transaction, with very rare exception.  If you store card data on your servers, regardless of access limitations, you’ll have a hard time proving your company was PCI Compliant in the event of a data breach. The financial liability, and potential criminal liability, is substantial.

If PAN data (primary account/ credit card number ) is encrypted, it’s still within the merchant scope for PCI because it can be decrypted. The exception is if the merchant is using a third party that is using PCI Compliant strong encryption, and there is no ability for the merchant to decrypt the data and get back PAN’s. *

Tokenization helps merchants reduce the scope for PCI DSS compliance whenever credit card data is stored, because the merchant cannot reverse engineer to access the PAN data. Encryption can be used by the third party to protect the data in the token vault. It is not required by PCI.  When a merchant uses a token to process a transaction, the associated payment information in the vault is delivered to the processor. How and in what format? The logical and physical elements vary by provider and specific controls are secret for security reasons, but it’s a fair question to ask when considering a new provider.

The CenPOS payment platform uses both tokenization and encryption for maximum reduction of PCI scope for merchants, and for data security throughout the payment cycle. It provides the most flexibility for merchants, because they can change processors with no disruption to their business.

*Refer to PCI guidelines for further details. Official PCI Security Standards Council Site

Is it any surprise that actual Payment Card Industry (PCI) Data Security Standard (DSS) assessments by Verizon’s team of Qualified Security Assessors (QSAs) shows growth of compliance is stagnant? Even worse, organizations that suffered data breaches were much less likely to be compliant than a normal population of PCI clients? About 20 percent of organizations passed less than half of the DSS requirements, while 60 percent scored above the 80 percent mark. For all those merchants sounding off about an annual PCI Compliance Fee, the evidence is clear that merchants still have a long ways to go. 100% PCI DSS compliance is the only acceptable statistic.

Organizations struggled most with the following PCI requirements:

• 3 (protect stored cardholder data)
• 10 (track and monitor access)
• 11 (regularly test systems and processes)
• 12 (maintain security policies)

The first two of these can easily be resolved with our hosted payment processing technology, CenPOS. If you’re going to store cardholder data, it needs to be encrypted. One of the major problems with this has been ready access to solutions for storing cardholder data for variable billing. Most gateways have a PCI Compliant solution to store encrypted card data for recurring billing,  charging the same amount on a fixed schedule. However, CenPOS is unique to offer storing card data for billing a variable amount, token billing. Additionally, it is the only technology this writer is aware of that also includes interchange optimization, of major importance to companies trying to control credit card processing fees.

Tokens are issed for stored card data, worthless if stolen.

Requirement 10 (Tracking and Monitoring) is a major component of CenPOS. Every user has a unique login and management can micro manage permissions. Where others create a few tiered levels of permission such as cashier, finance, and administrator, CenPOS offers a plethora of options, plus management tracking and research tools.

• User Permissions: Control precise transaction types allowed, set maximum thresholds, set alerts based on responses, amounts and other criteria. Extensive Permissions enable maximum merchant protection from lower level employees, plus there are tools for secondary oversight at the admin level to mitigate risk of high level employee fraud.
• Tracking and Monitoring: The requirement calls for the tracking and monitoring of all access to network resources and cardholder data, the main objective is to maintain system logs and have procedures that ensure proper utilization, protection, and retention. According to the Verizon Report, this has historically been one of the most challenging, but is critical to forensic investigations if needed. CenPOS logs everything related to the payments process including user ID, time stamps and every other element of interaction with the system. Merchants must have their own internal logging system for their network.

Requirement 11 (Regular Testing) had the least compliance in the Verizon report. “Organizations continue to have difficulty meeting the sub-requirements regarding network vulnerability scanning (11.2), penetration testing (11.3), and file integrity monitoring (11.5).”  Our recommendation is that merchants hire a qualified outside vendor to assist them with this requirement. We have no direct affiliation with such companies but know several with good reputations should you need a resource.

Requirement 12 (Security Policies) While the best laid written plans may exist, there is still the human factor. Weaknesses identified include poorly written policies, including so long that they are stuffed in a desk never to be read again, and those that are too vague. Note that the requirements are directly related to the services in scope of the organization’s PCI DSS. The more the merchant reduces their scope, the more the burden is on their service provider instead of their internal personnel. CenPOS reduces the merchant scope in several ways, including but not limited to:

• Web payments on a hosted pay page, not the merchants web page
• Electronic Bill Presentment and Payment- same as above.
• Storing all card data, encrypted, on CenPOS servers, eliminating file drawer and merchant stored data

Verizon 2011 PAYMENT CARD INDUSTRY COMPLIANCE REPORT (PDF) download

Learn more about how CenPOS can help you with PCI DSS Compliance.

Have you ever needed to check if a credit or debit card is valid, but you don’t want to authorize or charge yet? We’ve added a new feature for our CenPOS Virtual Terminal called Positive Card. CenPOS will go out to the networks with a zero authorization amount to validate the card with the issuer prior to being stored.

REVIEW OF ENCRYPTED PAYMENT STORAGE OPTIONS NOW AVAILABLE:
Positive Card- validates card. Merchant validate CVV, address and zip code passes fraud check and decide whether the answers are acceptable before storing. Why would you accept a card if it doesn’t pass everything? Only Canada and the UK participate in AVS check; If you know your customer, you may wish to allow the card anyway. This feature allows you to enter a card, then make an educated decision as to whether you want to store it for recurring billing.
Repeat Sale- Offered for check/ACH and credit/debit. Process a transaction and it creates a new token to use for future sales transactions. CVV not allowed per PCI Compliance. Later, check the Token Box, enter the Token ID, amount and invoice #. That’s it.
Recurring Payments Module: Offered for check/ACH and credit/debit. Set up client contracts and store multiple cards, payors, and payment methods for a single account. Regardless of where a token was issued (resale, recurring, positive etc) the token is the same for all.
Securely store any payment type for variable amount token billing or fixed recurring billing.

FAQ:
How do I get this feature? Administrators login to the Virtual Terminal and turn on for each user you want to have access. (This also applies to the other options.)
Will this also validate checks? No, It resides in the credit/debit. If you have a need, let us know.
Are there fees? Yes. 6/14/11 MasterCard charges $.03 for this service, effective with their announcement to support zero auth address verification (AVS), card verification code 2 (CVC 2) validation or both. Expect similar fees on all networks now or in the future. Standard CenPOS per transaction fees apply.
Can we use tokens for the EBPP/ E-invoice service? Not yet, but it’s in development. Currently customers will click the email and enter payment information for each invoice.

The tools are in place for you to eliminate faxed authorization forms that expose payment data and reduce PCI Compliance scope. If you need help using the features or how to deliver the token approval form for signature to your clients, please do not hesitate to call.

A brief security note for customers using one of our retail solutions.

Do not store passwords and login information on your desk or in any unlocked area.

What if the machine does not recognize the magnetic strip?  If the machine says “re-swipe”, then

• Check to make sure terminal is swiping properly (test any card by swiping without charging)
• Try swiping at a different rate of speed.
• Check for valid card security features (hologram etc, imprinted security code etc)
• If the card appears to be OK, and you have permission to key enter, enter the transaction information and then have the customer sign the printed receipt as usual.
• Verify the signature and card data on the receipt match the actual card.

Note: if the 4 digits do not match- it is ALWAYS a fraudulent card.

If suspicious, hold onto the card and call your Voice Auth phone number. “I have a code 10 authorization request”. Cash rewards up to $1000 are available to merchants and employees for recovered cards, including $100 from Visa for a last 4 digit mismatch, if this procedure is followed.

Do not store card data outside the system for any reason. Use the Repeat Sale button if you need to securely store card data to re-bill at a later date. The encrypted card data is stored on PCI Compliant servers, never at the merchant location, and you can charge the account again with the token that will be issued.

Can I store encrypted credit card data and bill different amounts to a customer?  Yes, and this video demo of our most advanced virtual terminal shows you exactly how. This is a universal PCI Compliant virtual terminal, meaning it’s compatible with all major credit card processors.

Almost any virtual terminal solution can securely store card data for recurring billing, where the card is charged the same amount each time, but none of the most popular virtual terminals offers a secure token solution to charge a variable amount.  Chase Paymentechs’ Orbital ®Gateway, Authorize.net ®, and PC Charge® all offer recurring billing, but do not offer variable amount billing for their standard gateway. If there is a custom option, I’m not aware of it.

Chase Paymentech Orbital, Authorize.net, PC Charge are all gateways. Our solution is a SWITCH, and also  a gateway. What’s the difference? A gateway passes data over the internet to facilitate an electronic transaction. A switch identifies the data,  makes logical decisions, and then routes the data based upon pre-defined parameters. For example, a gateway passes card data from the point of collection to the payment processor. Our switch can identify the card issuing bank, determine what’s needed to qualify the transaction for the lowest cost interchange, and then pass the data needed to meet that requirement. This is just one example of what switch technology can do.