2

I have been reading a few articles which describe using a Datavault and tokenisation to reduce PCI DSS burden.

My question is, are there any companies that offer to store data like credit card information securely in exchange for a token and do they offer the ability to then view the data by authenticating yourselves and providing a a token back to them?

Would this setup be PCI DSS compliant?

KSS
  • 337
  • 3
  • 10

4 Answers4

1

The companies you're referring to are commonly called Payment Service Providers (or PSP's) and examples would be SagePay, PayPal, Authorize.net etc.

These companies generally don't just act as a datastore, they also allow authorization and settlement of the card payment. You store only a token id on your side, and use the token id to request authorization/settlement/refund etc as required. Getting the card details back from the PCI compliant provider is not possible as it would compromise their PCI compliance.

Using a PSP alone will not magically make you PCI compliant, but it will make it significantly easier, as it removes all the burden associated with storing of card details. You will still have areas of PCI that you will need to comply with though, mainly regarding transmission of card details to the PSP.

PaulG
  • 13,871
  • 9
  • 56
  • 78
  • It is very costly to use PSP's in my country as there are only 3-4 companies who offer this service and most of which charge an additional 3-4% on top of the merchant fee's charge by the various banks. – KSS Aug 09 '10 at 12:58
  • Yes, there are additional costs - its how the PSP funds the additional hardware / administration etc costs that come with being PCI compliant. You could look into costing it out yourself, but I'd be pretty certain (in the short to medium term at least) you'd find it cheaper to use a PSP than become PCI compliant yourself. If you're not looking for 3rd party help, then what are you hoping for? – PaulG Aug 09 '10 at 13:04
  • The storing of credit card details was really just one part of what I want to achieve. The other part would be to securely store other personal information of customers in some sort of data vault for retrieval at a later point. I assume that if the company has a PCI DSS compliant data center it would be secure enough for other information. – KSS Aug 09 '10 at 13:15
  • I see. My answer above answers (in my opinion) the question you originally asked. The key difference between card details and other data is that you don't ever need to get the card details back, whereas with other data (I'm guessing SSN's, emails etc) you generally do. I would say the requirements are different. – PaulG Aug 09 '10 at 14:01
0

Since this post was made, there has been a third party tokenization service made available. Take a look at https://spreedly.com/. I'm in the market for a similar solution currently.

Jonathan
  • 1
0

There are third party services like Spreedly that can help you. However the key point is that you can't see the raw card data. Once you do that (view it) you're in full PCI compliance scope with removes a large part of the value proposition that you had in mind when using a third party service to do tokenization. Spreedly does have a PMD offering which will let you pass the raw CC data to a third party API you designate so that may solve the problem.

user2263768
  • 1
0

What happened to PayPal? They are recognized globally, use them to your advantage. They have the SDK's to allow interaction with the Paypal processing server...

@KSS: ok, fair enough, but you would be removing yourself the burden in terms of security which would be offsetted by the cost of the additional fees, on one hand, additional fees, on the other, security issues governing storage of credit card processing....that's what Paypal does, sure the fees may be expensive but that would long-term save you the cost of security headaches and grief (which can run into thousands of USD, getting certified, security certificates, uptime, server costs etc)

t0mm13b
  • 34,087
  • 8
  • 78
  • 110
  • PayPal is not represented themselves in my country but they use another bank to allow the withdrawal of funds but this bank charges additional fee's. So it makes PayPal an expensive options. – KSS Aug 09 '10 at 12:54