PCI DSS is about protecting cardholder data, primarily identified via the PAN (Primary Account Number) or the long number on the front of the card.
But the only reason to protect data is its value.
The average credit card limit is a few thousand pounds; reissuing a stolen card may cost €25; a debit card can withdraw about £250. But the value of the card number to your business can be very different.
Do you use the number for marketing analytics, repeat payments or customer support? Do you use the information to add value to your services and better target your customers?
If it’s simply a way of taking payment, then the card number itself is of no value to you, so why spend so much time and money protecting it? Why not spend that money reducing your scope of compliance?
As long as your organisation wishes to have customers pay by card, PCI compliance can never be fully eliminated, but it can be reduced to the point where it is trivial to maintain. There are various ways of doing this.
The most effective method of reducing the scope of compliance is to outsource cardholder data functions to a PCI compliant, certified service provider. Compliant services range from web hosting and remote maintenance to entire call centre and
payment processing solutions.
There is more information on this in Self Assessment Questionnaire (SAQ) A – ‘All cardholder data functions outsourced. No Electronic Storage, Processing, or Transmission of Cardholder Data’.
SAQ A reduces compliance to just 13 requirements, some only applicable if you deal with hardcopy cardholder data, such as merchant receipts. The rest merely require you to hold a list of service providers and ensure they remain compliant.
Tokenisation solutions replace the original PAN with a token. Whenever the PAN is required, the system reconstructs it from the token. Since the tokens are not actually PANs, they (and the systems that use them) are outside the scope of compliance.
Combining tokenisation and outsourcing is particularly effective, since this offers all of the functionality required. For example, a payment processor that offers tokenisation can allow you to set up repeat payments, still without requiring the
actual card number.
P2PE is a supporting standard, maintained by the PCI SSC, covering point-to-point encryption solutions – typically hardware devices which encrypt the cardholder data as it is taken. This data cannot be decrypted until it reaches the payment processer,
crossing the network without bringing other systems into scope.
P2PE solutions can greatly reduce the scope of compliance but only if they have been approved and listed on the PCI SSC website. Currently there are a number of approved assessors, but no approved solutions. This does not mean that P2PE won’t ultimately become effective, but customers need to push their vendors for certification before this route is a viable one.
PCI compliance is a requirement, but should not be a goal. Other goals will deliver more business value – and generate compliance as a by-product.
For example, 90% of PCI DSS requirements match security best practice, so if you set out to maximise your security, you will achieve the majority of PCI compliance as a positive bonus.
Ultimately, your organisation needs to decide the value that a card number has for you and if that value is worth the cost of compliance.