While many retailers continue to comply with the payment card industry data security standard, some merchants are moving their payment data to systems outside the scope of the 12 in-depth guidelines of the standard, commonly called PCI, says Dave Glaser, vice president of global professional services at CyberSource Corp., a provider of payment processing and security technology and services.
PCI provides a framework for how merchants securely store and transmit payment card account data to keep it out of the hands of criminals; non-compliance with the standard can result in fines of up to $500,000 issued by credit card associations such as Visa Inc. and MasterCard.Inc.
An increasing number of merchants are taking several steps to keep payment card data outside of their internal networks, however, making it virtually impossible to put them at risk of losing that data, Glaser says. Among the coordinated strategies these merchants are taking, he adds, are:
Tokenization, which changes some of the numerals in account numbers stored by a retailer, while the complete number is maintained off its network by a processing partner.
CyberSource, which is one of the companies that offers tokenization services, provides a retailer with full 16-digit numbers that include enough actual account numerals so the merchants can identify their customers without the risk of losing an entire account number that criminals could use to make fraudulent payments. By keeping the account numbers stored by retailers at the full 16 digits, the tokenization service enables a merchant to continue using software applications designed to handle 16-digit account numbers, Glaser says.
Placing customer payment acceptance forms on web pages hosted by third-party payment processing providers, so that when customers enter their payment card account numbers to make an online purchase, their account numbers are not stored on a retailer’s infrastructure; and
Outsourcing procedures such as chargeback recovery efforts so that a merchant’s in-house network and staff doesn’t have to handle actual account numbers when seeking to recoup chargeback losses.
Although merchants have been able to use each of these strategies for years, they’ve only recently begun to combine all of them out of concern about fraud and keeping up PCI, Glaser says. “The trend now is to combine all of them,” he says.
Back...
