Segmenting credit card data and using tokenization greatly reduces the scope of the Payment Card Industry's (PCI) Data Security Standard (DSS), making it easier for small merchants—and the developers that support them—to protect customer credit card data.
The PCI DSS version 1.2 encourages network segmentation, whereby customer credit card data is isolated from the rest of the store's network. This practice, according to the PCI Security Standards Council, (1) reduces the scope of any PCI DSS assessment or audit; (2) eases the financial burden associated with any PCI DSS assessment; and (3) reduces overall risk to both the merchant and the customer since credit card information is consolidated into "fewer, more controlled locations."
Combining the idea of network segmentation with the use of tokens to represent credit card data can add an additional level of security and further reduce an individual merchant's PCI DSS scope and, therefore, compliance costs.
For example, developing a system wherein credit card numbers pass through a segmented portion of the web server and are instantly handed over to a secure, PCI compliant payment processor in exchange for an encrypted token means that the merchant can focus its compliance effects on just that segmented web server that credit card numbers briefly pass through. There is no credit card number to store, rather the secure token is now associated with the customer account. What's more, if the system can be coded so that the credit card number is sent directly from the customer's browser to the payment processor, the PCI DSS liability is virtually eliminated.
Using segmentation and tokenization is certainly worth considering. But the process is also nuanced. For example, a so-called PCI expert recently told me that the Apache Foundation was going to have to get its HTTP Server Project PCI certified or else merchants wouldn't be able to use the web server software anymore. I didn't agree with him, but his statement makes the point that there is a lot of confusion in the industry about the scope of PCI DSS compliance.
Because of this confusion, I have asked Juan Carlos Perez, vice president of technology and product development at PaymentVision, which is a level-1 PCI-compliant electronic bill payment and payment gateway service provider, to join me for an educational PCI webinar this Thursday, at 2 p.m. Eastern time.
This webinar is the first example of Ecommerce Developer's commitment to ending the confusion about PCI DSS.
