Reduce PCI Scope - Maximise Conversion - Whitepaper

2

Realex Payments is a PCI DSS 3.2 compliant online payments service provider. We simplify Payment

Card Industry Data Security Standard (PCI DSS) compliance for thousands of businesses, processing

billions of pounds worth of payments each year.

Maintaining the security of our customers’ data is always our number one priority which means PCI

DSS compliance is the foundation of our business.

We’ve learned a lot over the years about achieving and maintaining PCI DSS compliance. And, with

this Whitepaper, we want to share our expertise to help you on your journey to compliance.

No matter how many payments you process, this whitepaper will help you to reduce the costs and

complexity associated with PCI DSS compliance:

• If you complete an on-site audit for PCI DSS compliance, we will show you how you can

reduce your PCI audit overheads by up to 70%

• If you complete a Self-Assessment Questionnaire, we’re going to show you how

to reduce total PCI requirements by up to 96%, not to mention cost savings that can

average between £10,000 and £100,000

Need proof? Well, you’ll hear from one of our customers, allpay, who have reduced their PCI overheads

by 70% by moving to a Hosted Payment Solution.

Nick Peplow, Bill Payments Director at allpay, said: “Since partnering with Realex, we have increased

our speed-to-market by 6 months, simplified our PCI auditing process, whilst we operate an online

payments page that fully reflects our brand, with Realex’s extensive security features.”

Simplifying compliance doesn’t mean you have to lose control of the payments journey either. You

can maximise conversion, your customers can make online payments seamlessly, and you can still

minimise your PCI DSS obligations.

Let’s get started!

Colin Aherne

Welcome Note

3

Table of Contents

The Fundamentals of PCI DSS compliance

Introduction

5

4

17

36

40

9

26

43

Levels of PCI DSS compliance

PCI DSS compliance and your Payment Service Provider

Reducing the PCI DSS compliance burden

Case study: allpay LTD

Q&A - PCI DSS compliance with Matej Saksida Information Team Lead at Realex Payments

Conclusion

4

Cybersecurity is a major issue for eCommerce businesses around the globe. Mishandling customer

card data can have serious consequences for both businesses and consumers, including:

• Substantial fees and fines from the card schemes

• Damage to your brand, and the loss of customer confidence and trust

• A forensic examination that can cost tens of thousands of pounds

• Loss of revenue and resources spent trying to recover from the breach

• Additional costs replacing or upgrading your existing security systems

• Increased and ongoing scrutiny from the relevant authorities where breaches

have occurred

• Ultimately, risk to the long term viability of your business

There are untold numbers of instances where hackers have managed to breach company networks

and access customer details. Several high profile companies have been breached, and attackers are

employing increasingly sophisticated approaches to gain access to valuable card data.

Consumers trust companies with their information but, when a breach occurs, this trust is damaged,

often resulting in sharp drops in revenue which can be difficult to recover from. This represents a

serious risk to the viability of your business – the National Cyber Security Alliance observed that

60% of small businesses who have suffered a data breach have closed within six months of the

breach occurring.

Achieving and maintaining PCI DSS compliance can be a costly and complex process, but there are

strategies which companies can employ to reduce their overheads.

Introduction

5

The Fundamentals of PCI DSS Compliance

The objective of PCI DSS compliance is to secure cardholder data in order

to minimise the risk of data breaches, and in turn reduce the risk of fraud. To

achieve this, the PCI Security Standards Council – the body which creates and

manages the PCI DSS rules and regulations – has set six goals for organisations

who handle card data; these goals are broken down in turn into 12 requirements.

Achieving compliance in practice means being able to demonstrate adherence

to those goals and requirements, summarised in the table below.

Why PCI DSS Compliance?

Goals Requirements

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system password and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus soft-ware or programs

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel

Source: www.pcisecuritystandards.org/

FUNDAMENTALS OF PCI DSS COMPLIANCE

REDUCE PCI SCOPE WHILE MAXIMISING CONVERSION 6

The Current State of PCI DSS Compliance

The PCI DSS standards are revised on an ongoing basis to address evolving

threats and vulnerabilities.

PCI DSS 3.0 – the last major revision of the standard - was introduced in 2013.

When introduced, the scope of maintaining or achieving PCI DSS compliance

increased by about 27% from the previous version (2.0). Since then, two minor

revisions of the standard have been released – PCI DSS 3.1 in 2015, and PCI

DSS 3.2 in 2016. These have introduced further changes to scope, focusing

primarily on encryption standards.

While these additional changes are necessary, the constant revisions to the

standard have made it difficult for merchants to keep up. Verizon’s PCI DSS

Compliance Report (2015) found that only 20% of companies were fully

compliant at interim assessment, and of these, only 28% were found to be

fully compliant less than a year after validation.

Increasingly, merchants are looking for alternatives to shouldering the full

burden of compliance. While it is important to note that all merchants, no matter

how they accept payment card data, need to demonstrate their compliance,

there are strategies which minimise compliance overheads.

7

While the PCI Secure Standards Council is responsible for setting out the guidelines

for how merchants should achieve and demonstrate compliance, the degree of

compliance required for any individual merchant is determined by the number of

transactions they accept on cards carrying the brands of the card associations –

Visa, Mastercard, American Express and others. Each of the card associations has

their own standards.

PCI DSS Compliance is usually enforced by scheme members – that is, card

acquirers or merchant service providers, and card issuers – on behalf of the card

schemes. If you’re unsure about any aspect of PCI DSS compliance as it applies

to your business, we recommend that you speak with your merchant services

provider or engage the services of a qualified security assessor (QSA) to get advice.

For more information on the standards set by each of the individual card associations,

please refer to the links below.

American Express: www.americanexpress.com/datasecurity

Discover Financial Services: www.discovernetwork.com/fraudsecurity/disc.html

JCB International: http://www.jcbeurope.eu/business_partners/security/jcbprogram.html

MasterCard Worldwide: www.mastercard.com/sdp

Visa Inc.: www.visa.com/cisp

Visa Europe: www.visaeurope.com/ais

Assessing & Enforcing PCI DSS Compliance

8

Overview

When assessing compliance, two factors determine the perceived risk of data

being compromised; these are:

• The number of payment card transactions processed by the

organisation per annum

• The degree to which the organisation is exposed to sensitive

payment card data when processing those payments

PCI Compliance LevelsThe first factor determining the degree of compliance that a business must

demonstrate is the volume of transactions processed per annum. In the table

below, we’ve outlined the standards set by Visa;

Note: Different standards may apply if you accept higher volumes of MasterCard, American

Express, or other cards issued by the major card associations.

Levels of PCI DSS Compliance

Level Merchant Criteria Validation Requirements

1 Merchants processing more than six million

Visa transactions annually via all channels or

global merchants identified as level one by

any Visa region.

• Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource

• Quarterly network scan by Approved Scan Vendor (ASV)

• Attestation of Compliance form

2 Merchants processing one million to

six million Visa transactions annually

via all channels.

• Annual Self-Assessment Questionnaire (SAQ)

• Quarterly network scan by ASV

• Attestation of Compliance form

3 Merchants processing 20,000 to

one million Visa e-commerce

transactions annually.

• Use a service provider that has certified their PCI DSS compliance OR

• Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ)

4 Merchants processing fewer than 20,000

Visa e-commerce transactions annually.

• Use a service provider that has certified their PCI DSS compliance OR

• Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ)

Source: Visa. inc

LEVELS OF PCI DSS COMPLIANCE


Level 1 2 3 4

ComplianceDifficulty

Type of Assessment

AnnualonsiteAssessment

Self Assessment Questionnaire





Level 1 eCommerce Businesses - Report on Compliance

Payment systems deployed by organisations that process more than 6 million

transactions are usually complex. These Level 1 organisations are concerned

with the transfer and storage of sensitive card details which may increase

the risk of vulnerabilities. To address those risks, Level 1 businesses need

to adhere to a stringent set of requirements. This includes the creation of a

Report of Compliance (ROC), which must be completed by a third-party

Qualified Security Assessor (QSA). The ROC must provide extensive evidence

of the organisation’s compliance under each of the 12 headings (see “PCI

Compliance Levels”, above).

However, the level of detail required depends on how the business accepts

payment card data; different approaches require different levels of compliance,

with fully outsourced solutions requiring the least evidence.



Level 2+ eCommerce Businesses - Self Assessment

Organisations that process fewer than 6 million transactions per year are

deemed to represent a lower risk of exposure, and so the assessment of PCI

DSS compliance is a less rigorous process. In many cases, organisations that

qualify as Level 2, 3 or 4 for PCI DSS purposes can self-assess their compliance

by completing a Self-Assessment Questionnaire (SAQ).

Which SAQ should I complete?The self-assessment process is not meant to be a box-ticking exercise; it is

important to remember that the ultimate goal of PCI DSS compliance is to

ensure the security of cardholder data and to protect you against data breaches.

It is strongly recommended that you consider each requirement set out by

the appropriate SAQ carefully when attesting to your compliance. Generally

speaking, if you’re not sure which SAQ you should complete, it is recommended

that you engage the services of a Qualified Security Assessor to help you out.

The responsibility for ensuring compliance with the PCI DSS rests with your

merchant services provider or acquiring bank. As such, organisations who self-

assess PCI DSS compliance are usually required to submit their assessment to

their provider to demonstrate their compliance.



Understanding the Self Assessment Questionnaires

When self-assessing compliance, eCommerce businesses will typically have

to complete one of three Self-Assessment Questionnaires - SAQ A, SAQ A-EP

or SAQ D. The SAQs are designed to demonstrate adherence to the goals and

requirements of PCI DSS. The SAQ which applies is determined by the degree

to which your organisation is exposed to sensitive payment card data when

processing payments; in other words, the type of payment integration you use

on your website. The more that your organisation or systems are exposed to

sensitive card details, the more requirements you’ll need to address.

The table on the next page shows the requirements you must address when

completing the varying types of SAQ’s.

SAQ-A SAQ A-EP SAQ D

14 Requirements

22 Self assessment questions

Fully outsourced payment form to

PCI compliant provider

Example: Hosted Payment Solution

4% of total PCI requirements in scope

140 Requirements


Partially outsourced payment form

to PCI compliant provider

Example: Direct Post

43% of total PCI requirements in

scope

326 Requirements


Payments accepted directly on your

website

Example: API

100% of total PCI requirements in

scope



The table below shows the requirements you must address when completing the the varying types of SAQ’s.

Completing self-assessment is only an option for merchants who qualify for Level 2, 3 or 4 of PCI DSS compliance.

For Level 1 merchants, a Report of Compliance must be prepared by a Qualified Security Assessor. However, similar

standards apply depending on how you accept, transmit and store sensitive customer card data.

In the following sections, we discuss how the method of card acceptance influences the standards which business

must adhere

Note: While we’ve focused on eCommerce businesses in this eBook, it is important to note that merchants who accept payments through a mix of different channels – such as via a point of sale device or over the phone – may have compliance requirements over and above those outlined here. Generally speaking, merchants need to demonstrate a level of compliance appropriate for the least secure channel of payment; if you’re unsure, we recommend that you engage the services of a Qualified Security Assessor to help you out.

Requirement to Demonstrate Compliance SAQ A SAQ A-EP SAQ D

Reviewing process documentation

Interviewing employees

Observing current configurations

Examining all data sources for card holder data

Examination of keys and certificates

Examining anti-virus configuration

Review audit trails and logs on system components

Change control documentation

Review process documentation

Interview employees

Observe current configurations

Examine all data sources for card holder data

Examine keys and certificates

Examine anti-virus configuration

Review audit trails and create logs on system components

Change control documentation

Secure software development training/policies

Examination of audit logs & log settings

Examination of time syncing tech & settings

Quarterly external scans/pen tests

Examine firewall and router configs

Review password procedures

Detailed incident response plan

Quarterly destruction of card holder data no longer in use

Examine mobile / employee owned devices

Review documented risk mitigation & migration plan

Review data retention and disposal policies

Review physical access process incl. CCTV, visitor logs and ID badges

Examine intrusion detection & intrusion prevention techniques

Company-wide rollout of security awareness programme

14

PCI DSS COMPLIANCE & YOUR PAYMENT SERVICE PROVIDER

If you’re a business accepting payments online, chances are that you use a

third party payment service provider to process transactions on your behalf.

Payment service providers tend to process transactions at volumes that

require them to be Level 1 PCI DSS compliant. While it is not unheard of for a

payment service provider to be breached, it is generally safe to assume that,

where you’re using a mainstream, reputable service provider who can provide

evidence of their compliance, any cardholder data you share with them will be

handled securely.

However, using a PCI DSS compliant service provider doesn’t necessarily

reduce the burden of compliance for your business; rather, it is how you use

those services to accept, transmit and store card details which will determine

the level of PCI DSS compliance that must be attained.

In this section, we look at three common use cases, discuss the risks and

benefits of those scenarios, and identify the likely implications from a

compliance perspective.

PCI DSS Compliance & Your Payment Service Provider

How you accept payments and your type of compliance

PCI DSS COMPLIANCE AND YOUR PAYMENT SERVICE PROVIDER


Use Case 1: Accepting Payments and Handling Card Details on Your Servers

Handling Card Details on Your Servers: SAQ D

Characteristics How it Works

You fully manage the transaction: card details are

accepted on your own website

Card details transit your servers

Card details may be stored for later use

1. Your website creates the payment page

2. Customer enters card data

3. You receive card data and send payment details to

payment service provider

4. Payment provider receives the card data and sends

to payment system to be authorised

PCI DSSREQUIREMENTS:

100%

Most payment service providers provide access to an API which allows you to accept card details directly through your

website. Under this model, your servers collect card details and submit them to your payment service provider. The

card details transit your systems, and may be stored for future use. An API integration affords you the highest degree

of control over the end-customer experience, as you retain full control of the look and feel of the payment page.

BenefitsUsing an API allows you to create a payment flow which is customised exactly for your requirements, and allows you

to retain the card data for future use.

RisksChoosing an API integration means that in the event of a perimeter or firewall security breach, the impact of that breach

is much greater - due to the nature of the data that you store. This means the scope of PCI DSS compliance significantly

increases, which in turn increases the cost and complexity of maintaining compliance, for example, submitting quarterly

network scans and penetration tests.

Furthermore, it may be difficult to detect where these breaches have occurred. There have been instances where

hackers have retained access to compromised systems for periods of months or years, allowing them to steal a huge

amount of customer data without detection.

MERCHANTCOLLECTS PAYMENT DATA

MERCHANTRECEIVES PAYMENT DATA

PAYMENT SERVICE PROVIDERPROCESSES &AUTHORISES PAYMENT



Use Case 2: Accepting Payments on Your Website Through Direct Post

Direct post payment acceptance: SAQ A-EP


You partially manage the transaction; card details are

collected by you but sent directly to the payment service

provider for processing

Card details never transit your servers

Card details are not stored anywhere on your servers

1. Your website creates the payment form in the

customer’s browser

2. The payment data is delivered directly from your

customer’s browser to the payment processor

3. Payment service provider receives the card data,

processes the payment, and returns the response

to you.


59%

One way to reduce your exposure to sensitive card details is to use a so-called “direct post” payment acceptance

model. Under this model, your website renders the payment form in the customer’s browser and submits the collected

card details directly from the browser to your payment service provider. The card details never transit your servers,

reducing the number of systems which handle card details. This also affords you a greater degree of control over the

end-customer experience, since you still retain control of the look and feel of the payment page.

SAQ A-EP was introduced as part of PCI DSS 3.0 in response to the introduction of direct post models. In essence,

SAQ A-EP acknowledges that, while direct post implementations reduce exposure to such an extent that the more

stringent requirements of SAQ D need not be applied, there are still significant risks in this approach. In particular,

these implementations are more open to compromise by hackers and other malicious third parties than fully outsourced

models, and where compromised, may be harder to detect. As a result, quarterly network scans and external penetration

tests are still required.

MERCHANTCOLLECTS PAYMENT DATA

PAYMENT SERVICE PROVIDERRECEIVES PAYMENT DATA




BenefitsDirect post payment acceptance methods can integrate seamlessly with your existing website and they work with most

web-based programming languages. Sensitive card details are never transmitted through your servers.

RisksWhilst sensitive card data does bypass your web server, your systems still create and serve the payment form to the

customer. So while the data goes direct to the payment gateway, there remains a risk, where your systems have been

compromised, that hackers can steal data as it’s being entered by customers. Again, this kind of breach may be difficult

to detect. As a result, quarterly network scans and external penetration tests are still required.

Note: It is not acceptable to store card details on merchant server if you want to achieve SAQ A-EP compliance; any storage of card details automatically implies the need to complete SAQ D.



Use Case 3: Accepting Payments on Your Website Through a Fully Outsourced Solution

Fully Hosted Solutions: SAQ A


Your payment service provider completely manages

the transaction: The simplest way to collect payment

information securely, without handling customers’ card

details

Depending on the payment service provider, the payment

page can be rendered in an iFrame within your website,

a lightbox atop your website or full-page redirect to a 3rd

party.

You have no direct control of any element of the payment

page

Sensitive card details are never stored on your

infrastructure.

1. You redirect your customer to the payment service

provider, this may or may not involve a change of

domain, depending on the payment service provider.

2. Customer enters card details on a page hosted by

the payment service provider

3. Payment service provider processes the payment

4. Result returned to your website


4%

The most effective way to reduce your compliance overheads is to eliminate sensitive customer card details from your

environment. This can be done by using a payment solution hosted by your payment service provider. Under a hosted

payment model, your payment service provider provides a payment page which is securely connected to your website.

This collects, submits and authorises payments on your behalf without the need to handle card details.

Benefits Because the payment service provider controls all elements of the payment form, the risk of compromise is deemed to

be particularly low. PCI DSS requirements are reduced to an absolute minimum, saving valuable time and resources.

PAYMENT SERVICE PROVIDERCOLLECTS PAYMENT DATA

PAYMENT SERVICE PROVIDERRECEIVES PAYMENT DATA




RisksUsing outsourced solutions traditionally meant sacrificing control of the customer experience, a compromise that many

eCommerce businesses were unwilling to make, since it might lead to lower conversion rates and ultimately less

revenue.

Note: It is not acceptable to store card details on your servers if you want to achieve SAQ A compliance; any storage of card details automatically implies the need to complete SAQ D.



3 SAQ’s: Requirements At-a-Glance

Comparing the SAQ Options

SAQ-A326 total requirements

326 total requirements

326 total requirements

4% 43% 100%

SAQ-A-EP SAQ-D

0% Reduction

Total Number SAQ-DTotal Number

96% Reduction

SAQ-A

14 requirements

in scope

57% Reduction

Total Number SAQ-A-EP

140 requirements

in scope

Reducing the number of requirements you need to complete is only part of the

story. The below chart illustrates estimated cost and time saving as compared

to the three SAQ options (source Drupal Commerce):



3 SAQ’s: cost and time-saving at-a-glance

SAQ-A

SAQ-EP

SAQ-D

SAQ-EP

SAQ-D

SAQ-A

Months

Weeks

Hours

£ 100 1,000 10,000 100,000 1,000,000 1,500,000

22

“Target was certified as meeting the standard for the payment card

industry in September 2013. Nonetheless, we suffered a data breach”

Unfortunately, demonstrating compliance doesn’t guarantee security. Passing

an audit means that your business is following industry best practices to

protect against a data breach. However, as the example of Target shows, being

compliant doesn’t necessarily protect against data breaches.

The simple truth is this – if you handle, transmit or store sensitive card details

on your own systems, you open yourself to the possibility of compromise.

Maintaining the security required to protect sensitive card details requires a

significant investment of time and resources.

While there is no silver bullet to secure and protect against breaches, there are

numerous ways to dramatically reduce your risk, and, in doing so, protect your

company and your customers.

We’re going to examine some of the best (and most cost-effective) ways to

limit your risk of a breach and reduce your PCI DSS compliance overheads.

- Target Chairman, President and Chief Executive Officer Gregg Steinhafel.

Reducing your PCI DSS Compliance Burden

PCI DSS Compliance alone isn’t enough

REDUCING THE PCI DSS COMPLIANCE BURDEN


As a business accepting payment by card, achieving and maintaining PCI DSS

compliance is mandatory. But there are many ways you can reduce your PCI

DSS compliance obligations and costs, including:

• Network Segmentation – isolate the systems that process, store

and transmit credit data.

• Tokenising Stored Data – protect sensitive card data by replacing

it with representative data which can’t be used by anyone other

than your business

• Moving to a Hosted Payment Solution – outsource to a Hosted

Payment Solution and choose a provider that can deliver the

flexibility you need to maximise conversion.

3 Options to Reduce Your PCI Overhead by up to 96%



5 CHALLENGES FACING MERCHANTS

Network Segmentation to Reduce the Cost and Complexity of PCI DSS Compliance

What is network segmentation?If you accept card details directly, or store those card details for future use,

network segmentation is one of the simplest ways to reduce the scope of

your PCI DSS compliance and limit the risk to you and your customers of a

data breach.

The concept is a relatively straightforward one. Take, for example, a business

which operates a complex network configuration with multiple servers carrying

out different functions. By isolating those systems and servers which handle

sensitive customer card details from the rest of the network, the scope of your

PCI DSS audit can be significantly reduced.

Proper segmentation of a network minimises the level of access to sensitive

information and makes it difficult for a cyber attacker to gain access to your

most sensitive data.

What are the benefits? No network is 100% secure; there is always a risk of compromise. This is

particularly true of large, complex systems, where vulnerabilities can be harder

to detect and manage.

Network segmentation can provide effective controls to hinder network

intrusion and to limit penetration of your network should malicious actors

breach initial barriers.

Network segmentation can significantly reduce the scope of a PCI audit by

demonstrating that cardholder data is isolated in a secure segmented location

(the Cardholder Data Environment, or CDE), so that only that segment needs

to be audited.

The value of segmentation is substantial, with significant reductions in the cost

and complexity of demonstrating compliance achievable in the following areas:

• Cost of audit: If the number of systems in scope for your PCI

audit is reduced, then the complexity and thus cost of the audit

will be similarly reduced

• Resources spent securing the segment: Less effort required

to develop and maintain security policies to protect the

segment.

Network Segmentation




NOTE:

While network segmentation can reduce the scope and cost of your PCI DSS audit, businesses who

accept or store card details on their own systems must still demonstrate compliance to the highest

degree, e.g. SAQ D. If you want to minimise your compliance overheads, it is generally recommended

that you outsource card acceptance and storage entirely.

• Forensic effort: Should a security breach occur, it’s easier to

pinpoint where the breach happened.

What’s needed for network segmentation?Many different technologies can be used to segment networks, but when

isolating cardholder data for PCI DSS purposes, there are some considerations

to factor in:

• Create policies for security based segments: Segmentation

alone isn’t enough if specific security policies aren’t applied to

the segment. To be compliant with PCI DSS, a firewall should be

used to protect the segment, and policies should then be created

around user access.

• Provide proof that policies are in place: You need to be able to

show that you have policies in place to protect cardholder data.

Auditors will also need to be given access to tools that can show

who has access and which demonstrate that policies are being

followed closely.

Correct segmentation can be a cost and resource saving practice as well as an

added layer of security protecting you and your customers.

The massive data breach at Target is an example of what can go wrong if

policies and procedures pertaining to segmentation aren’t followed; their 2014

breach was carried out by hackers who broke into their network using login

credentials stolen from a heating, ventilation and air conditioning company who

work for Target at a number of locations.



Extract card details for the customer and card references from

the vault and submit for auth


Storing Card Data with Tokenisation of Sensitive Data to Reduce PCI Requirements

What is Tokenisation?

Tokenisation

The PCI Security Standard recommends that Card Holder Data is not stored

unless absolutely required, and even then, only if the benefits outweigh the risk

of compromise. If you store cards for future use, you will always need to attest

compliance to the highest levels (SAQ D), increasing the cost and complexity of

achieving and maintaining compliance.

How does tokenisation work?

Card tokenisation represents a viable way of keeping customer card data on file

without increasing the risks of compromise and without adding unnecessary

compliance overheads. Tokenisation replaces sensitive customer card details

with non-sensitive representative data (a token) which can be used to process

transactions as if you had the card details on file.

You can use tokenisation to retain the flexibility to take future payments while

achieving the lower levels of PCI DSS compliance overheads associated with SAQ

A and SAQ A-EP.

Customer ReferenceCard ReferenceAmountCurrencySub-Account

517011xxxxxx0968MM/YY

ResultCard Type

Card Name

517011xxxxxx0968MM/YY

Cardholder NameCard Type




NOTE:

While tokenisation reduces the burden of PCI DSS Compliance associated with storing card details,

the method of card acceptance is still a strong determining factor of the level of compliance required.

Merchants who use tokenisation, but who handle the card details directly at the point of acceptance,

will still need to attest to the higher level of compliance associated with SAQ D.

What are the benefits? You will use the token to process payments and so do not need to store the

customer’s information, reducing the liability to your business. Additionally,

tokenisation outsources the burden of storing cardholder data to a third party,

reducing the costs involved with maintaining PCI DSS Compliance.

Compromised tokens are effectively useless to hackers, reducing the risk of fraud

arising from data breaches, and making businesses that employ tokenisation less

attractive as a target.

With tokenisation, you can implement one-click checkout solutions and subscription

business models easily, increasing customer conversion for returning customers

and reducing the churn associated with recurring payments.

What’s needed for tokenisation?

There are a number of different approaches to tokenisation which you can employ.

By far the most common method is to exchange sensitive customer card details

for a token provided by your PSP. You can then use the token, rather than the card

details, to take a payment.

Approaches to tokenisation are evolving and the card associations (Visa and

MasterCard) are providing token provision services which allow you to exchange

card details for a token issued by the association itself.

These tokens are effectively indistinguishable from standard card details, and so

can be used across payment service providers and merchant service providers.

However, they can also be limited to specific use cases to create an added layer of

security. Emerging mobile payment methods Apple Pay and Android Pay use this

approach to secure customer card details.

However, at the time of writing, this approach has not been well-established for

merchants seeking to store card details; for most purposes, standard payment

service provider tokenisation will meet the needs of most businesses.



What is a Hosted Payment Solution? Hosted solutions combine hosted payment forms provided by the PSP with tokenisation

solutions to ensure that your business retains full control of the payment lifecycle

without ever having to handle sensitive customer card details.

Rather than accepting card details on your website, the customer uses a payment form

hosted by your Payment Service Provider to enter their card details, with the result of

the transaction returned to your system. Additionally, card details can be tokenised at

the point of acceptance to allow you to accept future payments.

What are the benefits?The best way for a business to reduce the cost and complexity of PCI DSS compliance

is to fully outsource all acceptance, transmission and storage of customer card details

to a Level 1 compliant Payment Service Provider.

Businesses who fully outsource their payment acceptance and storage solutions can

achieve SAQ A PCI DSS compliance, which puts most of the requirements of PCI DSS

compliance out of scope. The risk of compromise is pretty much eliminated, since no

card data ever transits on your systems. This, in turn, reduces the risk to your business.

As the complexity of PCI DSS compliance increases with every new iteration of the

standard, more and more eCommerce businesses of all sizes are choosing to outsource

their payment processing systems, choosing a Hosted Payments Solution over an in-

house API-based or direct post integration.

What’s needed for a Hosted Payment Solution?Implementing a Hosted Payment Solution is often seen as a balancing act. On one

hand, hosted solutions can minimise the risks (and costs) associated with handling

sensitive card data. On the other, they are typically associated with a reduced level of

control of the online payments journey, along with the risk of lower conversion.

eCommerce businesses have to weigh up the cost of PCI DSS compliance with the

potential loss of control of the payments journey before making a decision on which

payments solution to choose.

Most payment providers now offer some kind of hosted solution. It is worth seeking

out a payment provider that can demonstrate a focus on UX, customer conversion, and

customisation of the payment page, as well as delivering flexible integration options

which can be adapted to your preferred customer journey.

Hosted Payment Solutions

29

Realex Payments’ Hosted Payment Solution delivers complete control of the

end-to-end payment experience on your website, without the associated PCI

DSS compliance costs.

Accepting online payments has never been easier, with a choice of PCI DSS

compliant integration methods that each deliver a seamless, customisable

payment experience to maximise conversion, across any device. Our payments

technology is secure and reliable with 99.99% uptime and dedicated support

around the clock.

3 Benefits of our Hosted Payment Solution

1. LESS COMPLIANCE COSTS, MORE CONTROL Realex Payments’ Hosted Payment Solution enables you to retain total control

of the payment experience on your website, without the associated PCI DSS

compliance costs.

- Customise your payment page You can easily customise your payment page by modifying the HTML or

CSS to reflect the look and feel of your website; delivering a consistent

customer experience while maximising conversion.

- Store cards in a secure environment We take care of your online payments completely within our PCI DSS v3.2

compliant environment, so you don’t need to handle, transmit or store

sensitive card details, minimising your PCI DSS obligations and expenditure.

Choosing a Hosted PaymentSolution With Realex Payments

CHOOSING A HOSTED PAYMENT SOLUTION WITH REALEX PAYMENTS


Control your online paymentsWe provide the tools you need for transparent reporting in real-time to help

you to reconcile transactions, with the ability to search, void and refund

your transactions easily.

2. SIMPLE INTEGRATIONIntegrating with Realex Payments’ Hosted Payment Solution is simple and

your dedicated account manager will help you every step of the way.

Integrate easily with 3 hosted checkout options You can embed the Hosted Payments Page in an iFrame within your website,

overlay a lightbox, or redirect your customers to a dedicated payment page.

Reduce development costs Regardless of which option you choose, we maintain a suite of SDKs, quick

guides and shopping cart integrations, which vastly reduces development

times and costs.

Easily integrate additional beneficial services Choosing Realex Payments’ Hosted Payment Solution opens up the

opportunity to add a broader range of services with little or no integration

work. These include; Card Storage, Fraud Management, Dynamic Currency

Conversion and Alternative Payment Methods.

3. MAXIMISE CONVERSION Our Hosted Payment Solution delivers a payment page that is designed to

maximise conversion through best practice techniques.

Accept payments across every device We deliver a payments page that adapts to any device so your customers

flow easily through the buying process, on desktop, mobile or tablet.

Create a smooth user experience The Hosted Payment Page is fitted with helpful prompts on your payment

page, such as automatic card type identification and real-time form validation

to maximise conversion.

CHOOSING A HOSTED PAYMENT SOLUTION WITH REALEX PAYMENTS


Enable customers to store cards We help to strengthen customer retention by offering your customers

the option to securely store their card details on your Hosted Payment

Page, delivering a one click checkout experience for returning customers.

Customers can add, edit or delete their own cards, with details stored

within our PCI DSS v3.2 Level 1 compliant environment.

Reach international customers with ease As you scale locally and globally, we help you sell beyond borders with a

checkout that adapts to 15+ languages, along with Multi-currency and Dynamic

Currency Conversion (DCC) to reach new markets.

Access our payment innovations instantly Our in-house user experience team continually enhances the Hosted Payment

Solution with new innovations that optimise your conversion rates for both

one-off and repeat customers.

32

SERVICE. DRIVEN. COMMERCE

[email protected]

PROCESSING £1 BILLION ONLINE EVERY YEAR

ALLPAY

When you’re a Level 1 PCI Merchant like allpay, compliance and audit costs can easily surpass 100,000 a year. allpay chose to outsource their payment page to Realex Payments to simplify their PCI DSS compliance and secure customer data, while retaining complete ownership of the online payment experience.

OVERVIEW: OFFERING THE WIDEST RANGE OF BILL PAYMENT SOLUTIONS, ACROSS EVERY DEVICE

allpay is one of the world’s largest payments specialists, providing bill payment services to 750 public and private sector organisations.

allpay collects over £6 billion a year and processes in excess of 55 million transactions through a diverse range of payment collection solutions designed to meet their customers’ needs.

CASE STUDY: ALLPAY LTD


SERVICE. DRIVEN. COMMERCE

[email protected]

THE CHALLENGE: INCREASING PCI COSTS AND CHANGING ONLINE PAYMENT TRENDS In recent years, allpay has experienced strong growth in the number of customers paying through mobile and digital channels, with online payments now representing almost £1 billion of payments annually.

During a period of significant growth for the business, it became clear that it was no longer feasible to retain their in-house payment system. Keeping up with fast-changing payment trends was costly to maintain. Meeting Level 1 PCI DSS requirements was also costly for allpay, with onsite audits taking 5 days, along with high associated technology and licensing costs. As a result, allpay decided to look externally for a solution.

THE SOLUTION: A HIGHLY SECURE, PCI DSS COMPLIANT PAYMENTS SOLUTION WITH REALEX PAYMENTS allpay chose a Hosted Payment Solution from Realex Payments. This payments solution removes allpays’ need to

handle, transmit or store sensitive cardholder data. This maintains the security of sensitive data and also simplifies PCI DSS requirements. The migration from their in-house payments to the Hosted Payment Solution was seamless with virtually no impact on allpay’s clients or staff.

James Bolton, Product Manager for Card Acceptance at allpay, says, “Realex provided a high level of support throughout our migration as well as accurate documentation allowing our developers to work efficiently.”

Realex Payments provides allpay with a completely customised hosted payment page, delivering a seamless checkout experience for their end customers, across desktop and mobile devices. In addition, the solution offers a comprehensive suite of transaction reporting, full access to the best fraud user experience in the market and

subscription payments functionality to help allpay to schedule payments so as to maximise repeat revenue.

THE OUTCOME: 70% LESS PCI AUDIT TIME AND IMPROVED SPEED-TO-MARKET BY UNDER 6 MONTHSFor allpay, one of the main benefits of moving to a Hosted Payment Solution with Realex Payments has been to simplify PCI compliance.

James Bolton notes, “We are still classed as a PSP Level 1 provider, however our onsite audit was greatly reduced with our QSA completing the work needed within 1.5 days – a 70% reduction from what it took before, because we don’t see or store any Personal Account Numbers (PAN’s) through our system, which has saved us time and money.”

“These weren’t the only costs we saved; we have been able to reduce licence fees in the high end of 5 figures, whilst also reducing the amount of development and maintenance work that we would have to do with every iteration of PCI DSS. This also means our IT Operations team can focus on deployment of new products as opposed to updating PCI DSS compliant servers / systems," comments Bolton.

Realex Payments now processes over almost half a million transactions on behalf of allpay and expects this to increase considerably. Since coming on board, allpay has released a payments scheduler to support subscription

payments. Launching the payments scheduler as part of Realex Payments’ solution has increased allpay’s speed to market by five to six months, and reduced launch costs significantly.

Nick Peplow, Bill Payments Director at allpay, concludes, “Since partnering with Realex Payments, we have simplified our auditing process dramatically, saving us valuable time. We now operate an online payments page that fully reflects our brand, reassuring our customers, whilst still benefiting from the extensive security features of Realex Payments’ solution.”

34

PCI DSS compliance is costly, but there are ways to reduce your scope. By implementing key changes to your technology (such as tokenisation and network segmentation), you can save time and money, as well as reducing your liability as a business in the event of a breach.

If you currently process payments in-house, through API or Direct Post, you can save a significant amount of money every year by outsourcing your payments page to a PCI DSS compliant payment service provider.

Perhaps your decision to keep control of your payments page was made some years ago, when the only option was to redirect your customers to a third party webpage.

Technology has changed.

Today, you can have a fully customisable payment page, embedded within your site through an iframe and you can reduce your PCI in-scope requirements by 96%. Even if you are a Level 1 eCommerce provider and need to do an onsite audit, you can still reduce audit time and costs by up to 70%.

Let us talk you through how you can simplify your PCI DSS requirements. Every Account Manager at Realex Payments receives the latest PCI DSS compliance training. Get in touch and let us talk you through your options.

Contact us or visit www.realexpayments.com for more information on how you can outsource your PCI overheads.

Conclusion

Documents

Reduce PCI Scope - Maximise Conversion - Whitepaper