As a retailer who accepts card payments, you are obliged to spend a considerable amount of money on securing your payment systems (as stated in part 1), but just like tying knots, there are many different ways to secure something, and knowing which approach to follow could prevent a disaster.
Your Qualified Security Assessor (QSA) should already have taken you through the standard questions to identify what sensitive data your organisation has, where it is, and whether you need to store or even process it. And then the standard approach they recommend would typically be to segregate the network, encrypt data, and restrict access. But are there smarter approaches to consider (and is it in the QSA’s interests to simplify your PCI audits?)
In the white paper we are publishing at the end of this month we not only discuss descoping systems, outsourcing, tokenisation, and point-to-point encryption (P2PE); we also capture the current sentiment and future expectations of retailers with respect to these. If you’re interested to read more, please register to receive your copy.
Unlike tying knots, there is no single best approach and it may be best to implement a combination of multiple approaches; bear in mind too that your environment is unique, and will change over time. In part 3, I will talk about outsourcing, and answer the question about whether it is possible to outsource your payments system without being shoe-horned into a one-size-fits-all solution (spoiler alert: it is!)
So I’d like to touch here on P2PE and tokenisation. Earlier in the year, we ran a webinar Keep the Hackers Out and Reduce Your PCI Scope with Point to Point Encryption, which explains the concepts; I’ll assume you’re familiar with them, if not you could watch a replay of it here. They are often grouped together as complementary technologies and the questions you should consider before choosing a supplier are similar; however P2PE and tokenisation can be implemented independently, and can be provided by different suppliers. The questions centre on who owns the data, i.e. who controls the encryption keys loaded onto the PED, and where are they used to decrypt the data? And in the case of tokenisation, where is the original sensitive data stored?
By it’s very nature, P2PE requires the PED manufacturer’s involvement, but should the PED manufacturer also provide the decryption appliance, and the inventory management? Delegating too much responsibility to one supplier could result in you being locked in. Similarly if the decryption keys and/or token vault are held by a 3rd party or PSP, how easily can you move to another provider? What about being able to add support for new payment types like closed loop / prepaid cards, PayPal, etc.? Will you be reliant on your PSP, and what will they charge you per transaction?
If you have any anecdotes to share (anonymous or otherwise), questions or advice, I’d love to hear from you – my name is Michael Kyritsis, I’ve worked in the payments industry for 17 years, and I’m employed by ACI as lead solution consultant. Throughout my career I’ve been determined to see how EFT software is used by real customers, and I am continually discovering that each customer has unique requirements – there’s no one-size-fits all solution. Similarly each customer has unique perspectives to contribute to a collective “industry view”. Distilling this industry view, and seeing how it compares to our solution’s capabilities is both reassuring and challenging. I’ve concluded that in the ACI retailer solution we have the expertise and products to build a solution perfectly tailored to the requirements of the largest and most demanding global retailers. Thanks for reading this far, until next time, Michael.