How can tokenization help you meet PCI compliance?

If your business is under pressure to lock down data storage, especially customer’s sensitive data, it’s likely you’ve been inundated with a stack of options.

When your business accepts payments over the phone, the real concern is that it can infiltrate your systems and leave your organisation exposed to all kinds of threats.

So if you're looking for a method to secure your data, how do you choose? Normally it depends on your organisational priorities. It could be that you're looking to de-scope just a part of your contact centre, or maybe you'd rather eliminate the whole environment.

Recently, tokenization technology has been introduced to the market, and is perfect if you need to eliminate data from entering your networks entirely- with as minimal integration as possible.

However, in many of our conversations we've found that tokenization is commonly mistaken for the security method of encryption.

This is how tokenization actually secures phone payments

Tokenization replaces sensitive payment data with a randomly assigned token and therefore cannot be decoded or reversed. Any non-sensitive data can also be replaced with tokens, but the most common data used with tokenization is often the primary account number (PAN) data or credit card numbers.

In relation to PCI DSS requirements, tokenization enables the reduction of storing plain-text sensitive data in your environment.

The difference between tokenization and encryption

Whereas encryption takes sensitive credit card information and turns it into mostly unrecognisable data to unauthorised people, tokenization systems randomly generate a value to replace the credit card data completely. This makes it virtually impossible to decipher information or even reverse-engineer the token.

A data vault, usually managed by a third party, is the only means of relating credit card values to their tokens. Typically, the token will retain the last four digits of the card so it can be accurately matched with the credit card owner.

If this system is correctly implemented, it enables you to continue to take web and mobile payments, but without sensitive information in your environment. This helps to ensure your PCI compliance.

Doesn't my PSP already do that?

Your PSP's may provide a token – but the original card number must be presented initially for the process. This means to be completely compliant, the tokenization solution must have a way to protect the original cardholder data before it is tokenized.

Audio tokenization is able to secure this risky area, and keeps your systems entirely out of scope. When customers make payments using their telephone keypads, Audio Tokenization converts the sensitive card digits to tokenized non-sensitive digits.

Using Audio Tokenization to Reduce PCI DSS Compliance Scope

In PCI DSS, audio tokenization replaces the sensitive PAN with non-sensitive tokens. This revolutionary payment technology eliminates cardholder data from payments made over the phone and this itself is an obvious benefit compared to other PCI DSS compliance solutions. The primary benefit being that it preserves the value of cardholder data for merchants and service providers; but absolutely useless to criminals if it is compromised or stolen.

We're already providing Tokenization technology for many of our customers. CallGuard with tokenization, enables you to receive telephone payments from customers in a convenient and professional way by removing your entire contact centre from PCI scope whenever you take telephone payments.

Get in touch today to find out more about how tokenization can work for your organisation.

Loading Conversation

Posted by admin at 9:56 AM on Nov 4, 2015


Recent Posts

If your business is under pressure to lock down data storage, especially…


Your business may record customer phone calls for quality purposes, in-fact most…


Tokenization is taking the ecommerce industry by storm- but what is it and why…