White Paper |         2  

P2PE and Tokenization Reduce PCI Scope and Protect Cardholder Data Many merchants have achieved and subsequently maintained PCI compliance by relying upon segmentation of their payment network. When this is the primary method used to limit PCI scope, the fight to protect cardholder data never ends. It is a constant battle that consumes expensive IT resources. It becomes a pitch battle that must constantly be waged. This whitepaper will compare the use of network segmentation to the option of using point-to-point encryption (P2PE) coupled with a hosted tokenization service provider. Merchants who segment their payment network are building perimeter protection around their valuable cardholder data. Similar to the Great Wall of China, this strategy is expensive and fraught with risk. Weakness at any point around the perimeter or any internal threat will compromise this security, forcing the merchant to continually invest significant funds maintaining these perimeter defenses. Only by making this investment can the merchant adhere to PCI and other security standards. When valuable data is protected but not eliminated, the merchant remains a target for cyber criminals and internal threats. However, options now exist that can remove this valuable data as a target thereby eliminating the risk and greatly reducing the costs of achieving security and maintaining PCI compliance. The proper Point-to-Point Encryption (P2PE) solution combined with world-class tokenization can make true secure payments a reality for merchants by eliminating the cardholder data-at-rest and data-in-transit. This will in turn remove the merchant’s payment network as a

target and will significantly reduce the majority of a merchant’s PCI burden. To provide a complete answer to these security challenges, Paymetric, a leading technology solution provider and Tier 1 Payment Service Provider, offers a comprehensive P2PE & tokenization solution with experts in the industry with over 25 years of security payments experience. Before discussing the benefits of Paymetric’s P2PE and Tokenization services, it is important to define cardholder data and PCI scope. Understanding these points are critical to limiting a merchant’s risk.

Cardholder Data

What data elements constitute cardholder data and what makes it so valuable to thieves? Knowing the distinction between what is and what is not cardholder data is an important point that informs a merchant’s evaluation of payment solutions.

Cardholder data, as defined by the card brands and PCI Security Standards Council (PCI SSC), includes:

White Paper |         3  

-Cardholder Data Elements are only considered sensitive when transmitted or stored in connection with the Primary Account Number (PAN). Once the PAN is tokenized all other elements of cardholder data are no longer relevant to PCI scope. Please keep in mind that the Sensitive Authentication Data (SAD) elements listed above have separate handling rules. These rules are all adhered to by Paymetric’s payment services.

-Cardholder data in its raw, readable form (PAN) is very valuable to cyber thieves. They can sell this information repeatedly over the dark web or use it to perform their own criminal activity. Once a raw 16-digit PAN is entered via the keyboard or other entry device, that PC and subnet are in scope for PCI compliance. This PAN also exposes all network elements and computers on the network until a PCI-compliant firewall provides segmentation.

-Eliminate cardholder data in all its forms and you remove the value, rendering a cyber attack unprofitable. In doing so, a merchant reduces PCI scope and removes itself from the constant threat and target of these cyber attacks. Let’s briefly review how cardholder data exists and is protected within the traditional payment network segmentation model.

Traditional Cardholder Data Protection- Payment Network Segmentation

Until recently, security providers advised merchants to protect cardholder data by segmenting their payment systems from other parts of their technology environment using perimeter security controls in an effort to reduce PCI scope. Implementing a network segmentation design means segmenting a merchant’s payment devices and servers that handle cardholder data from all other network components. Other network components may include email servers, web servers, application servers, database servers, EDI hubs, etc.

Payment network segmentation serves two purposes: 1) Limiting access to cardholder data from internal and external access, and 2)

Minimizing PCI scope, thereby reducing IT network segments, servers, computers & programs that must be certified.

Most segmented network architectures include specific hardware, software and maintenance designated for each segment. The Call Center, Service Center or PoS network segment must also meet the PCI DSS requirements. For instance, each segment may include a dedicated PCI-compliant firewall, dedicated lines, and separate access controls combined with the supporting services of file integrity checking, patch management, secure coding, anti-virus checking, audit logging and storage, vulnerability scans, penetration testing (web servers), secured offsite backup, etc. In addition, the merchant must address compliance using the same ~300 questions on the PCI Self Assessment Questionnaire that they would have had to address using no segmentation at all. The price tag and duplication of effort adds up quickly.

In addition to these costs, another downside to network segmentation is that it does not change the readability or reduce amount of cardholder data. This design leaves an ever-growing and highly desirable cache of cardholder data for cyber thieves. The same amount of cardholder data exists in the network segmentation model as if no segmentation were used, yielding little change to the risk and liability associated with protecting cardholder data. According to the Privacy Rights Clearinghouse, a merchant’s liability for a breach is between $180 to $1,000 per account number that is lost, yielding a potential liability of $135,000 to over $600M in remediation costs and can easily be doubled in total costs including loss of brand value.

Although the disadvantages of payment network segmentation can be significant, this approach does have its advantages:

1. Restricts access to cardholder data 2. Limits PCI scope to the network

segments with access to cardholder data

White Paper |         4  

3. May reduce PCI audit costs (compared to no network segmentation)

We recommend merchants compare the advantages and disadvantages of a network segmentation design with Paymetric’s P2PE Tokenization solution.

Point-to-Point Encryption (P2PE) with Tokenization

P2PE encrypts cardholder data from the point of entry using a card entry terminal and transmits this encrypted data to a point of secure decryption outside of the merchant’s environment. In a P2PE environment, cardholder data is never entered into a computer or placed on a merchant network in the clear. The confidentiality and integrity of all data-in-transit is maintained since the merchant does not have the cryptographic key to access the raw cardholder data.

The P2PE protocol directly addresses the risk of unauthorized interception of cardholder data-in-transit such as the entry of payment data in a call center, mobile platform or point-of-sale. P2PE does not address data-at-rest (stored cardholder data) in files, databases, ERP, legacy or other systems. Tokenization is intended to address the risk of unauthorized access associated with such stored cardholder data. The combination of Paymetric’s P2PE and XiSecure tokenization creates a comprehensive and powerful solution for merchant payment processing and customer data protection.

As illustrated below, the call center agent encrypts the cardholder data using a PCI certified credit card terminal and the merchant does not have access to the decryption keys. The data is deemed ‘unreadable’ to the merchant and does not create PCI exposure once it leaves the card terminal. Once the token is securely returned to the merchant, all payment functions are easily performed -

White Paper |         5  

authorization, refund, cancelation, settlement, reconciliation and reporting.

The PCI requirements only apply to the areas of a merchant’s environment that store, process and/or transmit raw cardholder data. When a merchant uses a P2PE solution, the pin pad encrypts the card data at swipe (for card present payments) or key entry (for card not present payments). The merchant has no access to the keys required to decrypt the data, thereby rendering the data inaccessible to the merchant. This means that a merchant’s PCI-related scope and costs are reduced incrementally. Specifically, the PCI DSS requirements are reduced from the full 12 categories to only categories 1, 9 and 12 being directly applicable to the merchant’s environment.

P2PE Tokenization Selection Criteria

The following selection criteria will help a merchant maximize their benefit when evaluating P2PE solutions.

Hosted Solution “Software-as-a-Service”

In order for a merchant to reduce their PCI scope, certification costs and liability, they must shift the responsibility to an outsourced payment services provider. The payment services provider handles transmission, processing and storage of cardholder data on

behalf of the merchant. The merchant’s servers and databases are freed from cardholder data transmission, storage and resource-intensive encryption functions. This can create significant savings within the merchant’s environment.

In order to reduce PCI scope, costs and liability - without giving up card acceptance - the merchant must shift the responsibility to a secured payment hosting provider.

Hosted Tokenization

Merchants need payment transaction details stored in their systems. Tokenization is provided to remove Cardholder Data while ensuring merchants can still perform all payment functions. For example, merchants may need payment data to manage customer dispute resolution, recurring or subscription payments, card-on-file billing, targeted marketing and analytics. Tokenization substitutes unique, randomly generated values to reference cardholder data that is stored in the hosted token providers’ data center. Thereby eliminating the need for merchants to store and protect actual cardholder leaving nothing of value for the cyber-thief to compromise.

Card Terminal Devices

Legacy swipe or keyboard entry devices are seldom able to perform any encryption services at card entry and instead transmit cardholder data in clear text. When implementing a P2PE solution, merchants need to ensure that their card entry terminal is DUKPT capable and is certified by the manufacturer as P2PE compliant. This will almost always require the purchase of new P2PE capable card entry card terminals but will remove the cardholder data from the associated IT networks and infrastructure.

Recommended Solution

Paymetric has a comprehensive suite of PCI certified solutions for payment acceptance, data security, reconciliation and others. Paymetric

White Paper |         6  

also provides a P2PE solution that is being certified under the PCI P2PE Hardware 2.0 specification. This advanced solution provides more security and efficiency when managing cardholder data than a traditional network segmentation model.

XiPay: Token-aware Processing Platform

Paymetric’s XiPay is a secure hosted payment processing platform that accepts tokens for all payment processes. It is a PCI DSS validated platform within Paymetric’s data centers. This hosted solution is a component of the product suite that forms the comprehensive point-to-point encryption solution. XiPay connects to many processors, payment types and currencies.

XiSecure: Tokenization Data Store & APIs

XiSecure Tokenization is Paymetric’s hosted and patented tokenization vault which satisfies a merchant’s need for hosted storage of payment data. The solution works by moving the actual cardholder data offsite to Paymetric’s facility. Paymetric’s servers create and return a unique token to the merchant that will always be a 1-to-1 representation of the account number. Using the token (which contains no cardholder data), merchants can authorize, cancel, refund and settle any payment request. Paymetric’s card tokenization solution is different from other implementations in that a token is produced per account number rather than per transaction. Combining XiSecure Tokenization with the hosted XiPay Processing Platform creates a powerful cardholder data protection tool while enabling merchants’ ongoing ability to process all payment requests.

Paymetric’s P2PE Tokenization

Paymetric’s hosted P2PE service is one of the most comprehensive P2PE tokenization solutions on the market today. This solution ensures sensitive cardholder data is protected from the point of cardholder data entry (data-in-transit) returning a token to allow security during storage (data-at-rest). State of the art,

point-of-entry devices encrypt both card present and card not present data entry prior to performing a payment transaction. Even if the data is intercepted, it is useless to the cyber criminal as it is encrypted with a unique and unknown key and therefore has no value.

A merchant using Paymetric’s P2PE solution gains quantifiable benefits that address continuous cyber threats while optimizing business operations in an integrated process.

• Paymetric’s P2PE service is an advanced solution that limits the scope of a merchant’s PCI audit and shifts responsibility and the related liability to Paymetric as the hosted (SaaS) provider.

• The P2PE service provides a proven and effective encryption solution that allows merchants to reduce cardholder data transmission and storage as well as eliminate PCI scope from their networks and card entry desktops.

• This solution also enables the merchant to execute all payment workflows using only the token that is returned by the P2PE service. Thereby reducing their liability and costs by eliminating network segments, servers and desktops from scope and allowing the merchant more flexibility in network configuration including the use of wireless networks and mobile solutions.

The payment industry is striving to reduce the quantity of cardholder data available to cyber criminals, along with the number of locations that this data is stored. Paymetric’s Payment Services and P2PE suite provides state of the art processing and data protection to address these issues.

White Paper |         7  

Paymetric, Inc. is the global leader in integrated and secure electronic payment solutions for the enterprise to enable companies to streamline the order-to-cash process, reduce the scope and financial burden of achieving PCI compliance and improve return on electronic payment acceptance. Paymetric is a recognized industry leader with award winning solutions and world class client service.

their products herein registered herein